Search results

ISO 27001 Internal Auditor Course Question

Please note that during document review the internal auditor must evaluate if documentation is compliant not only with the standard’s requirements but also with identified risks and opportunities, as well as relevant aspects of organizational context.

For example, in case there is a relevant risk related to documentation being tampered with, the auditor needs to evaluate how the organization considers this in developing and managing the documents.

Regarding the context of the organization, if the business involves regular remote interaction with customers and suppliers, this also needs to be evaluated regarding documents.

Advanced notification of change

This depends on the significance of the change. If the change is life-threatening, this must be done immediately, or within 24 hours.  If the change is not significant, then the timeframe is up to two weeks.

Clauses related to Statistical Process Control

8.3.3.3 ..........development of control 
and monitoring strategies for special characteristics of products...............

Risk Assessment Question

1 - Following the steps, we first identified the assets and asset owners.

It was quite difficult given the fact that for the same asset, we may have different asset owners.

Should we keep them in separate lines? It's highly possible that there will be a different Risk Owner.

To keep your asset as simple as possible, and in the interest of saving time, you should group the assets whenever possible (as for the asset owner you should consider the role with the highest hierarchical position between the roles you identified) and keep different lines only when extremely necessary.

2 - Our company develops software and has many different applications. Therefore, the Category of Applications & Databases is quite long (42 lines!). We are trying to merge them as much as possible but struggle because we don't know if and how risky it will be to group them (since there are different asset owners).

For a company of 50 people, we have gone too deep and need to get out before we proceed.

Should we merge per name of asset?

It is better to merge assets by considering the risks related to them. For example, if assets like Microsoft applications and Linux applications have similar risks, then it is better to adopt an asset called “applications” merging all risks.

3 - Should we take into consideration the asset owner?

You should consider the asset owner only as a secondary criterion because the primary reason for merging assets is that they share similar risks.

4 - Can we have more than once the same 'name of asset'?

You should avoid having two or more assets with the same name, to prevent mistakes in defining responsibilities for the assets. You should provide some additional information in the name of the asset to differentiate them (such as “laptop” and “sales laptop”).

5 - Given that the company is relatively small, our CEO can also be an asset owner besides the risk owner. As 'asset owners' we recognised all those who have access to a document, application, infrastructure, is that correct?

Please note that the “asset owner” is the person responsible for ensuring the asset is properly protected (e.g., by defining proper controls to be implemented). Considering that, not all people that have access to an asset are their owners (they need to follow security controls applied to the asset, but do not define such controls).

6 - In addition, our company is located in 2 different countries with only one of them being in the scope for certification. The other (recognised as a subsidy) will fully adopt the policies and actions of the mother company. That's why we implement the Risk Assessment and in general the ISO implementation simultaneously. All decisions derive from the mother company and the subsidy has an Office Manager who will probably be the Risk Owner for most of the assets in his country-responsibility.

Some of our assets are doubled for this reason, for example: Office rooms in country A (one asset) & Office rooms in country B (second asset).

Would you consider it 'too much'?

Please note that you do not need to include in the site to be certified assets from the site that will not be certified. This will only add unnecessary complexity to your implementation. It would be better to develop a separate risk assessment considering only assets that are exclusive of the noncertifiable site.  

7 - Would you do a screening of our risk assessment table once it's done (Assets, Threats, Vulnerabilities, Risk Owners, Risk Identification)?

As part of your toolkit is included a review of a determined quantity of documents, so you can send your risk assessment and we will provide recommendations for implementation if needed.

ISO 27001 Risk Register

You should include in your ISMS scope only the assets that you control - e.g., physical servers, software, and data; you should keep out of the scope assets you cannot control - data center building, telecom links, UPS, air conditioning, etc. 

You will assess the risks in the following way: 

• For the assets within the scope - by listing the assets, and their related vulnerabilities and threats. 
• Since assets of your suppliers (data center) are outside of your scope, you will perform a risk assessment on the level of a particular supplier - by listing vulnerabilities and threats to their service. 

You should perform all those assessments using the Risk Register in Conformio.

Training Register

So we use the training module in Conformio as a repository for records of all training done for employees of the company. There is no other feature in it other than for record keeping. 

Did ISO 27002 have any update between v2013 and v2022?

Between 2013 and 2022 no updates were published, only some minor corrections.

For details about these corrections, please, see:

• Corrigendum 2014 https://www.iso.org/standard/66806.html
• Corrigendum 2015 https://www.iso.org/standard/69379.html

• Queries on Risk register

  1 - Another question I have is regarding the server portion of the risk register, which is found, for instance, in IT and communication equipment. How should this part be defined from a general standpoint? We have added several assets that were relevant to our organization; for example, we have added AWS Infrastructure, Google Infrastructure, Office IT Infrastructure, and Microsoft Infrastructure. Would you kindly help us with this? Therefore, do we need to define this as an infrastructure as a whole or do we need to add different assets that are applicable to the organization? 

  Please note that additional assets would be required only if you need more detailed information to manage risks related to specific assets. 

  For smaller companies we suggest not adding additional assets, to keep things simple. 

  If you need more detailed information, please see the examples below. 

  If your Google Infrastructure is used by two different business units, Sales and R&D, then maybe you should add specific assets like “Google Infrastructure – Sales Servers” and “Google Infrastructure – R&D Servers” so you can handle related risks in different ways.

  Laptops are another example. If laptops from Sales and R&D have different risks, then you should consider creating assets like “Sales laptops” and R&D laptops”, so you can handle specific risks for each asset.

  For further information, see:

  • Asset management according to ISO 27001: How to handle an asset register/asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

  2 - Another issue is that third-party off-the-shelf applications are available for software and databases in a Risk Register. Since we use third-party programs like Phabricator, Microsoft Office 365, container hosts, virtual machines, containers, Jenkins, and virtual machines (Windows), we must decide whether to define each one specifically or to categorize them in general terms with a single category as Infrastructure. Could you please explain to me how we should define? 

  Could you kindly let me know if we need to define different categorized products with Assets and then specify with the vulnerabilities associated to that specific asset in the Risk register for internally developed software?

  Please note that the use of one or more categories will depend on the assessed risks. In case the assets are related to the same risks, then they can be combined in a single category. In case there are assets with specific risks, then you should consider grouping them in different categories, so you can treat the different risks as the best fit.

• Documents monitoring KPIs regarding applicable controls

  In Conformio, performance indicators can be found in the “Reporting Dashboard” link, accessible through the left-side panel on the main screen. The bottom section of the dashboard is “ISO 27001 Performance Dashboard”, and through the button “View more stats”, you can find details about the Fulfillment of objectives. A report with the objectives is exported automatically when you fulfill the tasks “Enter the measurement related to the objective… ”. The pdf file that will be available in the “Documents” >> “ISO 27001” >> “Lists Reports Statements and Plans” link, accessible through the left-side panel on the main screen.

  In our ISO 27001 toolkits, performance indicators can be recorded in the Measurement report, which can be found in folder 12 Management review.