Search results

ISMS roles and responsibilities

This is not sufficient, because not only the ISMS champions must know about their information security responsibilities, but also all personnel included in the ISMS scope, so they can know who to look for in case of a situation related to information security.

In  this case, you must also consider:

• Document information security roles and responsibilities in the policies and procedures used by the organization.
• Provide awareness and training sessions for all personnel included in the ISMS scope.

This article will provide you a further explanation about documenting roles and responsibilities:

• How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

These materials will also help you regarding roles and responsibilities:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 22301 gap analysis

Please note that ISO 22031 does not require a gap analysis to be performed, and it is not recommended for smaller companies, because, in general, it is not worth the effort due to their size and complexity. As an alternative, you can use the internal audit checklist, located on folder 10 Internal Audit, to make a quick assessment of your situation.

Ecosystem degradation cause

Environmental changes that cause ecosystem degradation are based on many factors including:

• Urbanization
• Population growth
• Economic growth
• Intensification of agriculture
• Increase in energy use
• Increase in transportation

You can find more information about ISO 14001 below:

• Protect and improve biodiversity performance by implementing ISO 14001 - https://advisera.com/14001academy/blog/2019/09/09/iso-14001-and-biodiversity-how-to-improve-performance/
• Enroll for free online training - ISO 14001:2015 Foundations Course: https://advisera.com/training/iso-14001-internal-auditor-course/
• Book – The ISO 14001:2015 companion: https://advisera.com/books/the-iso-14001-2015-companion/

Internet Access

Although ISO 27001 does not prescribe access to the Internet only through the organization as mandatory, what happens in real life is that this is more a common sense for business practice, as survival and competitive question than a standard's requirement (most of the businesses and their relations go through the Internet).

Considering that, when organizations resources, like email services, are available through direct access to the Internet (e.g., to allow remote work), a common practice is the usage of access through Virtual Private Networks (VPNs), where the organizations implement controls such as protected communication, and access control to limit external access to authorized users, only to needed information, and also can monitor activities and information flow.

A third important point is awareness activities, so employees can understand the importance to access the Internet only through the organization, and the consequences on direct access.

This article will provide you a further explanation about network controls:

• How to manage the security of network services according to ISO 27001 A.13.1.2 https://advisera.com/27001academy/blog/2017/02/13/how-to-manage-the-security-of-network-services-according-to-iso-27001-a-13-1-2/

This material will provide you further information about employee awareness:

• Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

Procedure for clinical trials

Yes, you are right. Unfortunately, in our toolkit there is no procedure for clinical trials because, in MDR 2017/745, requirements for documents for clinical investigation are very detailed described in Article 63, Article 72, and in Annex XV (Chapter II and III). Further on, clinical trials must be performed according to harmonized standard ISO 14155:2011 Clinical investigation of medical devices for human subjects — Good clinical practice. In most cases, clinical trials are conducted by specialized companies. 

Which documents are necessary for medical devices you can find in the following material: 

• EU MDR Checklist of Mandatory Documents https://info.advisera.com/13485academy/free-download/eu-mdr-checklist-of-mandatory-documents

• Risk assessment for GDPR

  "Hi Team,

  I do have a question as part of our toolkit plan.
  We have finished the risk assessment and treatment plan based on the 27001 approaches, which is asset-based.
  In the webinar "How to integrate GDPR with ISO 27001" it was mentioned that recommended is combined "Risk Assessment" for 27001 and GDPR.
  My question is in case you have template methodology that combines both approaches? 

   

  The webinar does not recommend the combined risk assessment for ISO 27001 and GDPR. On the contrary, the webinar recommends doing the risk assessment for ISO 27001, and DPIA for GDPR.  

  In fact, ISO 27001 is focused on information security and, as you said, is asset-based. GDPR focuses on the risks for freedom and rights of individuals arising from data processing, so the focus is on the data subject.

  ISO 27001 risk assessment helps to implement GDPR requirements but there is no template that combines both GDPR and ISO 27001 because they are different regulations and require different implementation. 

  In our EU GDPR & ISO 27001 Integrated Documentation Toolkit you can find a chart with the list of relevant documentation and with reference to mandatory requirements by both regulations. You bought ISO 27001 Documentation Toolkit so you can verify what documentation you need to implement in order to comply with GDPR requirements.

  You can find this chart in the free demo of the EU GDPR & ISO 27001 Integrated Documentation Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-iso-27001-integrated-documentation-toolkit/

   

  How do we need to augment current 27001 methodologies & template to be GDPR compliant?Our current risk register includes assets of type "Processes/Services", which map with processing activities.To confirm I am not speaking about DPIA, which is unique to GDPR.

  As I said, the focus between the two regulations is slightly different so ISO 27001 can help you to implement GDPR, however, implementing GDPR will require specific documentation. To comply with GDPR requirements you have to perform DPIA, and there are templates in the GDPR Toolkit or in ISO 27001 & GDPR Integrated Toolkit for that purpose. 
   

  Is there anything specific in GDPR that would require to extend methodology that is included in your 27001 templates? 

  You need to implement the data protection policy, data retention policy, employee data protection policy, privacy policies, and documentation which is specific of GDPR and is not covered by ISO 27001, like the inventory of processing activity according to requirements of Article 30 GDPR, eventually appointing a Data Protection Officer.

  Here you can find our Toolkit to help you implement GDPR requirements.

  • EU GDPR Documentation Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
  • EU GDPR & ISO 27001 Integrated Documentation Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-iso-27001-integrated-documentation-toolkit/

  Here you can find more information:

  • Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
  • What is EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help

  You may also consider enrolling in this online EU GDPR Foundations Course:
  EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• E-privacy laws compliance

  From your question, I understand that your company processes the personal data of your clients. Your company collects personal data in order to send newsletters and communication. This processing activity falls in the scope of GDPR (EU Regulation 2016/679) while e-privacy Directive applies to “the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community, including public communications networks supporting data collection and identification devices” (Article 3 ePrivacy Directive).

  In order to comply with GDPR you need to verify your process of data, have a privacy policy, inform data subjects about data processing, data retention periods, and be sure you are processing data under a legitimate ground and implement GDPR requirements.

  Here you can find some articles to guide you and we developed a toolkit to help data controller to comply with GDPR requirements.

  • GDPR vs e-Privacy regulation https://advisera.com/eugdpracademy/blog/2018/02/21/gdpr-vs-e-privacy-regulation/
  • First steps to take to reach GDPR compliance: https://advisera.com/eugdpracademy/blog/2018/10/08/first-steps-to-take-to-reach-gdpr-compliance/
  • 7 biggest priorities to comply with GDPR on time https://advisera.com/eugdpracademy/blog/2018/01/25/7-biggest-priorities-to-comply-with-gdpr-on-time/
  • Email marketing in the era of GDPR – How to ensure compliance? https://advisera.com/eugdpracademy/blog/2019/05/27/gdpr-and-email-marketing-rules-for-compliant-campaigns/
  • Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/

  You may also consider enrolling in this online EU GDPR Foundations Course:EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

• Remote auditing

  In such instances as these, and I am envisaging at least another two similar audits of this nature, how can I be confident of the effectiveness of the outcome of an audit as this

  Answer:

  An effective audit is an audit that meets its objectives. As a good start, work with your client on the definition of the audit objectives. That way you can focus your time and attention in a very specific set of topics. You can use this picture to set the stage of the audit:

  

  Start with the audit objectives. Then, it's backwards. What audit findings should be collected and what audit sample size? And, therefore, what evidence needs to be audited? What areas of the organization and what topics? Hence, what documentation do you need to audit? How long will it take to read it? Allocate time for this reading during the audit.

  I also have another where I've to submit to a surveillance audit via remote means.

  Next June 25th Advisera will present a webinar on remote internal audits. With this pandemic event I already performed some internal remote audits myself. You can do the interviews with videoconferencing applications; you can review digital documents and records through share screening and with permission take screen shots to document evidences. You can audit operations with an auditee or a surrogate auditor using a smartphone or a tablet. You can interview operators, you can ask to zoom and review hard copies of documents and records, you can take a panoramic view of locations.

  I invite you to read this article – What are the benefits and barriers when performing remote audits? - https://advisera.com/articles/what-are-benefits-and-barriers-when-performing-remote-audits/

  Perhaps these Accreditation and Certification Bodies requirements may be useful to pick some ideas:

  • IAF Informative Document For Management of Extraordinary Events or Circumstances Affecting ABs, CABs and Certified Organizations - https://www.iaf.nu/upFiles/IAFID32011_Management_of_Extraordinary_Events_or_Circumstances.pdf
  • IAF Mandatory Document for the use of Information and Communication Technology (ICT) for Auditing/Assessment Purposes - https://www.iaf.nu/upFiles/IAF%20MD4%20Issue%202%2003072018.pdf
  • Principles on Remote Assessment -https://www.iaf.nu/upFiles/IAFID12PrinciplesRemoteAssessment22122015.pdf

• Non-Conformity 10.1 and 10.2

  1. Since we already have the Templates for the Topic “Non-Conformity 10.1 and 10.2” in our Toolkit, Could you please give some examples of kinds of Non-Conformity.

  A good non-conformity statement has three topics:

  • observed fact
  • requirement not fulfilled
  • objective evidence

  An example of non-conformity statement may be:

  Changes that can affect information security are not being properly controlled, compromising the effectiveness of the control A.12.1.2- Change management Control, and clause 8.2 - Information security risk assessment. Evidence: "The serial number of server *** in the production environment is ABC1234, while the serial number recorded for the same server in the inventory of assets is FGH6789," or "The change made on the server *** at DD/MM/YYYY, according to maintenance schedule plan from Jan-2018 does not identify the change request that authorized the change," and "there is no evidence that a risk assessment was performed for the server change."

  • observed fact: Changes that can affect information security are not being properly controlled
  • requirement not fulfilled: control A.12.1.2- Change management Control, and clause 8.2 - Information security risk assessment
  • objective evidence: "change made on server *** at DD/MM/YYYY" and the lack of risk assessment

  You should note that writing a non-conformity requires some level of knowledge of the standard and practice of performing audits.

  I suggest you take a look at our free ISO 27001:2013 Internal Auditor Course to know more about audits at this link: https://advisera.com/training/iso-27001-internal-auditor-course/

  2. Can the Main Deviations marked by the Lead Auditor in Pre-Audit be taken as Non-Conformities?

   A non-conformity is something not performed as planned, or result not expected, which would be a deviation, so you can consider the deviations marked by the Lead Auditor in Pre-Audit as non-conformities

• ISO 9001 Process Approach

  ISO 9000:2015 about the process approach states that consistent and predictable results are achieved more effectively and efficiently when activities are understood and managed as interrelated processes that function as a coherent system. 

  What motivates your Directors? Getting results!

  So, why not using the need to meet desired results or avoid undesirable results to start using the process approach and start showing results? Last week I used the process approach in a company with a problem of financial fines imposed by a client because of late deliveries. This week I used the process approach in a company with a big complaint from an important client. You can start using the process approach as a tool to solve performance challenges, that way you will be getting future allies in the use of the process approach not in a reactive but in a proactive way.

  I use the process approach to reduce variability, as a lever to meet objectives, to design competency requirements, to determine job descriptions with sound responsibilities and authorities, to determine risks and opportunities.

   

  You can find more information about the process approach below:

  • ISO 9001: The importance of the process approach - https://advisera.com/9001academy/blog/2015/12/01/iso-9001-the-importance-of-the-process-approach/
  • Free webinar on demand - The Process Approach - What it is, why it is important, and how to do it - https://advisera.com/9001academy/webinar/iso-9001-process-approach-free-webinar-on-demand/
  • Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
  • Book (where I use the process approach extensively) - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/