Search results

ISMS scope - Not interested in ISO27001 accreditation

You can still define the whole organization in the ISMS scope, but in cases where you have physically separate sites, the most common approach, for those which goes for certification, is to separate the scope by sites (ISO 27001 accepts scope definition in terms of location, processes, business units, or information). This way, in case a site is not compliant, it does not affect the certification in the other sites.

Since you are not going for certification at this moment, you should evaluate the costs and effort involved in both approaches (i.e., centralized and decentralized scope).

SoA’s justification for the selection of control

1. If there is no risks from the risk treatment (thus nor risk treatment number for the control), should one use risks from the risk assessment (select risk numbers which have already treated by a control) for the justification for selection?

our assumption is correct. If you identified during the risk assessment that relevant risks are already in acceptable levels because the related control is already implemented, then you can use these risks as justification for the applicability of the control in the SoA.

For further information, see:

• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

2. I have a hard time to figure out which are differences between secure areas (A.11.1.5) and securing offices, rooms and facilities?

Control A.11.1.5 refers to how to work on secure areas (e.g., do not use cameras inside, forbid unsupervised work, etc.), while control A.11.1.3 refers to physical controls implemented to improve the security of the environment (e.g., located away from public traffic, soundproof, etc.).

These articles will provide you a further explanation about physical security:

• Physical security in ISO 27001: How to protect the secure areas https://advisera.com/27001academy/blog/2015/03/23/physical-security-in-iso-27001-how-to-protect-the-secure-areas/

These materials will also help you regarding ISO 27001 controls:

• ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

BCP- IT Disaster recovery

For this mapping, I suggest you take a look at these templates (although they are related to ITIL, they can be applicable to ISO 27001 IT Disaster Recovery):

• Service Catalogue https://advisera.com/20000academy/documentation/service-catalogue/
• Configuration Management https://advisera.com/20000academy/documentation/cmdb/

The first can help you as a custodian of the information about all operational services.
The second can help you record all configuration item-related data.

These articles will provide you a further explanation about service catalog and configuration management:

• What is the relationship between Service Level Management and the Service Catalogue in ISO 20000? https://advisera.com/20000academy/blog/2016/04/12/what-is-the-relationship-between-service-level-management-and-the-service-catalogue-in-iso-20000/
• Knowing your herd – Service Asset and Configuration Management (SACM) https://advisera.com/20000academy/blog/2013/06/04/knowing-herd-service-asset-configuration-management-sacm/

Risk of identifying too few risks

ISO 27001 does not require a "minimum" number of risks, only that relevant risks are identified and treated.

Considering that, the auditor will be more concerned about the quality of the identified risks (i.e., how relevant they are for the organizations) than their quantity. The single point you need to pay attention to is to not overlook obvious risks, i.e., risks that someone with proper competence to the process or asset would easily identify. To mitigate this risk you need to include in the risk assessment the personnel involved with the process or asset.

As for the number of risks (please note that the word "scenarios" is more adequate when talking about business continuity), you mentioned, 200 is a good number. To have a parameter, when using the asset-threat-vulnerability approach, a small organization generally identifies between 50 to 100 assets, with 3 vulnerabilities and 2 threats for each asset, so they identify between 300 to 600 risks.

An important thing to note is that risk for which you already have implemented controls (and you will only accept the risk) also count for your relevant risks.

These articles will provide you a further explanation about risk assessment and treatment:

• ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
• How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
• 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
• Risk assessment tips for smaller companies https://advisera.com/27001academy/blog/2010/02/22/risk-assessment-tips-for-smaller-companies/

Are entities in certain countries still required to form binding corporate rules?

it's regarding Module 8: Data transfers and managing third parties in the DPO courseThe lecturer explains that there are certain countries that need binding corporate rules between companies transferring to each other who are operating under the same parent company. He explains that there are countries identified as having an adequate level of data protection (i.e the EU member states), and then explains that certain countries were not yet recognized have adequate protection such as the United States was not recognized as having the adequate level of data protection. Is this list of countries still up to date?

You can find the current list on the website of the European Commission here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_enJapan and the United States (limited to the Privacy Shield framework) were added.

Are entities in these countries still required to form binding corporate rules?

The course explained that binding corporate rules are suitable for large-size companies belonging to the same group, while other companies better use data transfer agreements.

However, entities located in the United States can now transfer data based on an adequacy decision instead of Binding corporate rules. In fact, Article 46 GDPR states that transfer on the basis of binding corporate rules happens in the absence of a decision under Article 45 GDPR.

You can find more information here:

• Article 45 GDPR: https://advisera.com/gdpr/transfers-on-the-basis-of-an-adequacy-decision/
• Article 46 GDPR: https://advisera.com/gdpr/transfers-subject-to-appropriate-safeguards/
• Article 47 GDPR: https://advisera.com/gdpr/binding-corporate-rules/
• 3 steps for data transfers according to GDPR https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/

You may also consider enrolling in this online EU GDPR Foundations Course: EU GDPR Foundations Course

Identifying and measuring Key Performance Indicators

You can start by identifying your relevant interested parties. For example:

Then, considering the purpose of your organization, put yourself in the shoes of your relevant interested parties and list what they expect from your organization. One can think about: safe food and correctly labeled and packaged food. What happens if food is not safe or not correctly labeled and packaged?

As key performance indicators, your organization can have effectiveness indicators:

• # unsafe food events
• # of complaints about incorrectly labeled and packaged food

As key performance indicators, your organization can also have indicators about government and general public perception/opinion about the results of the public health unit work.

Then, your organization can have indicators about the amount of work done real versus planned. For example:

• # of inspections done / # of inspections planned
• Rate of approved restaurants
• Rate of approved foods
• Real cost of operation / planned cost of operation

As a rule of thumb consider indicators concerning:

• Effectiveness;
• Efficiency;
• Quantity of inspections

You can find more information about indicators below

• How to define Key Performance Indicators for a QMS based on ISO 9001 - https://advisera.com/9001academy/24/define-key-performance-indicators-qms-based-iso-9001/-iso-9001/
• ISO 9001 document template: Matrix of Key Performance Indicators - https://advisera.com/9001academy/documentation/matrix-key-performance-indicators/
• Practical tips for measuring your QMS according to ISO 9001:2015 clause 9.1 - https://advisera.com/9001academy/blog/2017/08/29/practical-tips-for-measuring-your-qms-according-to-iso-90012015-clause-9-1/
• Free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/

Scope, Criteria and Objectives

The QMS scope sets the borders where the QMS is implemented according to the criteria. An example of a QMS could be:

• All activities and shifts at XYZ Company’s Townsville factory of plastic products

Other examples could be:

• Inspection of ships, Classification and Certification, Construction and Project Supervision of Ships
• Development, production and analysis of fine chemicals and active pharmaceutical ingredients

The QMS Criteria sets the rules to be followed. Normally they are divided in three groups:

• Normative reference (s): ISO 9001: 2015
• Processes and documentation defined in the organization's system
• Regulatory, statutory, legal and contractual requirements applicable to activities

QMS Objectives can be (for example):

• Improve customer satisfaction by X% until date Y
• Reduce rate of complaints by Z% until date T
• Reduce defects by A% until date B
• Reduce cycle time by C% until date D 

You can find more information about these topics in the following links:

• How to define the scope of the QMS according to ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/how-to-define-the-scope-of-the-qms-according-to-iso-90012015/
• Free webinar - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - https://advisera.com/9001academy/webinar/iso-90012015-clause-4-context-of-the-organization-interested-parties-and-scope-free-webinar-on-demand/
• List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
• ISO 9001 – Aligning quality objectives of the QMS with the strategic direction of the company - https://advisera.com/9001academy/blog/2017/03/07/aligning-quality-objectives-of-the-qms-with-the-strategic-direction-of-the-company/
• How to Write Good Quality Objectives - https://advisera.com/9001academy/knowledgebase/how-to-write-good-quality-objectives/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Requirement of ISO 13485 for manufacturing of semi-finished product

Yes, you need to prove that your prosthetic liner is biocompatible with the human body. To prove it, you need to perform certain tests according to the ISO 10993-1:2018 Biological evaluation of medical devices — Part 1: Evaluation and testing within a risk management process. Guidance on which tests you need to perform you can find in Annex A of this standard. The number and scope of tests will depend on the length of contact of the medical device with the skin, the type of contact, and the like. 

Considering the test for durability, you need to prove how long your product is stable when using in compliance with instructions of use. This includes, for example: how long the prosthesis is worn during the day, whether it is properly maintained, whether it is left somewhere in the strong sun or not.

As for testing, I don’t know what part of the world you’re in. If you are in Europe, there is a whole chain of Eurofins labs that do different tests, so you can ask them.

ISO 13485 requirements for outsourced processes under MDR

Hi, my question concerns companies that provide sales, service, repair, and installation services to customers. Obviously, they don't have control over the outsourced process, as it can only be justified by legal manufacturer, not distributors. Do you have any advice for managing the outsourced process in such cases? Also, I would appreciate it if you could point out any specific regulation under UKMDR that would be applicable to this matter.

Integration suggestion on QMS (AS9100) & ISMS (27001)

Inclusions and exclusions in the scope of ISMS will depend on the information, your organization wants to protect.
You need to identify in which part of your company is your most valuable information - see the details here: How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

For example, if the most important information is about new products, then the Research & Development process/department must be in the scope. If the most important information is about customers, then the Customer support process/department must be in the scope. You can also define all the organization's information as part of the ISMS scope.

This article can provide you further answer about integrating management systems (the general concept applies to your case):

• How to implement integrated management systems https://advisera.com/articles/how-to-implement-integrated-management-systems/

These materials will also help you regarding scope definition:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/