Search results

Business impact analysis

Please note that although connected, BIA and Risk Assessment are different processes, and this connection does not make obsolete ISO 22317:2015, which defines guidelines for business impact analysis. You can still use this standard to help develop a BIA approach.

This article will provide you a further explanation about BIA and risk assessment:

• Risk assessment vs. business impact analysis https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/

Clause 8.3. applicability

Clause 8.3 is not about designing Standard Operating Procedures for use in-house.

Clause 8.3 is about designing a new product or service. Clause 8.3 may be the main job in your scientific research lab.

Whenever there is a go decision for a new research your lab has to:

• Set up a project team with resources, responsibilities and authorities. Set up a project plan - (this is about clause 8.3.2)
• Collect inputs (state of the art data and information, legislation and regulation applicable) - (this is about clause 8.3.3)
• Following the project plan there is reviewed, final verification and validation controls are - (this is about clause 8.3.4)
• An output comes out of a successful project plan – a prototype, specifications to manufacture or provide or use, Standard Operating Procedures to manufacture or provide or use, … - (this is about clause 8.3.5)
• Changes - (this is about clause 8.3.6)
   

So, it is very difficult to justify that clause 8.3 is not applicable to a scientific research lab implementing a quality management system according to ISO 9001:2015

The following material will provide you more information about design and development:

• The ISO 9001 Design Process Explained - https://advisera.com/9001academy/blog/2013/11/05/iso-9001-design-process-explained/
• Procedure for Design and Development - https://advisera.com/9001academy/documentation/procedure-design-development/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book – (where I use the process approach this way) - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

ISO Standards for HR Policies

 In a general way, the benefits of adopting ISO standards are related to:

• Enhanced competitive edge
• Reduction on losses due to errors, failures or incidents
• Reduction on fines due to legal or contractual non-conformity
• Improvement of internal organization

These articles will provide you a further explanation about ISO 27001 benefits:

• Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
• How to gain employee buy-in when implementing cybersecurity according to ISO 27001 https://advisera.com/27001academy/blog/2017/07/03/how-to-gain-employee-buy-in-when-implementing-cybersecurity-according-to-iso-27001/

These materials will also help you regarding ISO 27001 benefits:

• ISO 27001 benefits: How to obtain management support [free webinar on demand] https://advisera.com/27001academy/webinar/iso-27001-benefits-how-to-get-management-buy-in-free-webinar-on-demand/
• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

Maintenance of ISO 27001

1. I want the process of maintenance after organization certified with ISO 27001.

ISMS maintenance involves

• operate the ISMS
• update documentation
• review risk assessment
• monitor and measure the ISMS
• perform internal audit
• perform management review
• perform corrective actions

These articles will provide you a further explanation about ISMS maintenance:

• ISO 27001 Certification: What’s next after receiving the audit report? https://advisera.com/27001academy/blog/2015/05/18/iso-27001-certification-whats-next-after-receiving-the-audit-report/
• How to maintain the ISMS after the certification https://advisera.com/27001academy/blog/2014/07/14/how-to-maintain-the-isms-after-the-certification/

2. How to maintain the document policies procedures etc related the ISMS

Asset for Risk Assessment

The best way to check if all relevant assets are identified is by interviewing the people most related to the information the ISMS is being designed to protect (e.g., end-users, IT staff, managers, etc.). Additional information may be found in the available documentation, like procedures, and inapplicable legal requirements (e.g., laws, regulations, and contracts).

In our template for Risk assessment (https://advisera.com/27001academy/documentation/risk-assessment-table/), you will get a checklist of potential assets that could be included.

This article will provide you a further explanation about assets:

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

ISO 9001 for international quality mark

ISO 9001:2015 is a standard for organizations not products. Certification bodies have strict rules to prevent connecting certification and products. For example, a label with the certification mark cannot be applied into a product or a package in direct contact with the product.

To be able to answer is question you must first answer to the question about what job do you need for your exclusive product?

1. Is it intellectual property protection?
2. Is it compliance with a legal requirement such as CE mark?
3. Is it a mark to convey credibility and image?
4. Another one?

ISO 9001:2015 certification is:

• very useful for 3
• may be useful for 2, since it sets a quality control plan and some preventive actions
• not useful for 1

Perhaps the information below is useful for you:

• Article - Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
• Article - ISO 9001 Certification - https://advisera.com/9001academy/iso-9001-certification/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book – Discover ISO 9001:2015 Through Practical Examples – https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 27001-ISO 27017 and ISO 27018

 If these apps you mentioned are not negatively affecting your ISMS scope by going into the cloud, or if their impacts are considered in the ISMS in a way that the related risks are acceptable, e.g., by the application of proper controls, then your assumption is correct, and your ISO 27001 certification is not at risk.

These articles will provide you a further explanation about ISO 27001 scope:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

ISO 27001 costs estimate

The cost of certification depends on the size of your company (i.e. the number of employees) and the price per man/day of local certification bodies - the best thing is to ask for quotes from a couple of certification bodies to get a feeling for the price. Here's an article that can help you: How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

The cost of implementation of a standard will include several items, you can find the details here: How much does ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/

Document control

ISO 27001 requires that documents from an external origin relevant to the ISMS be identified and controlled, but it does not define how, so organizations are free to implement the approach that better suits them. Internal and external contacts can share the same identification approach, but as a good practice you should consider different ways, so you can track them more easily, especially if you have more contracts from one type than the other.

Regarding change control, what generally happens with contracts is that changes on them are included as annexes, pointing out which clauses have been included, excluded, or changed, so you do not need to use a tablet to perform change control.

This article will also help you regarding document management and ISO 27001:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

These materials will also help you regarding document management and ISO 27001:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Email Addresses, Public Domain and US, India and EU Data Protection

You are right in thinking that a publicly listed email on the website is free to hand out, but the GDPR requires also to use personal data (i.e. email address) for the purposes for which are given. If someone lists the email address on his/her website, he/she wants to be contacted about his/her own activity (i.e. as a book blogger) they are not giving their consent to be inserted in an email database. 

You should contact them and ask for consent, even with automatic means, by asking them to be inserted in an email database for that purpose. You can imagine it as a service (something like “do you want to be updated with new authors publication?” or whatever your marketing team could imagine) and you need to ask them to consent to the transfer their address to third parties (authors).

Here you can find some articles about privacy policy and consent:

• Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
• Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/ 
• Four main questions for obtaining and managing data subjects’ consent under GDPR: https://advisera.com/eugdpracademy/knowledgebase/four-main-questions-for-obtaining-and-managing-data-subjects-consent-under-gdpr/
• Email marketing in the era of GDPR – How to ensure compliance? https://advisera.com/eugdpracademy/blog/2019/05/27/gdpr-and-email-marketing-rules-for-compliant-campaigns/

These materials will provide further help:

• EU GDPR document template Privacy Notice: https://advisera.com/eugdpracademy/documentation/privacy-notice/

• EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//