Search results

Risk assessment

1. As I fill out the risk assessment table and do the risk assessment, we are finding that some risk should be owned by a third party connected to our ISO scope, is it ok to list them as the asset and risk owner, they would be responsible if the risk would surface.

Risks related to elements outside the ISMS scope should be treated by controls of section A.15 - Supplier relationships. Through Service Level Agreements (SLAs), Operational Level Agreements (OLAs) or Terms and Conditions of Service, the organization makes clear and enforces the expected information security controls to be applied. In this scenario, someone in the organization still is the risk owner, but the treatment is delegated to the third party.

For further information, see:

• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

2. We have some SDLC (systems development life cycle) controls listed in 06 SOA, we stated in our scope document that software development is not in scope, however, if we know that controls are in place already should we document that in the SOA?

The main purposes of the SoA are to identify which controls are applicable or not in the ISMS scope, the justifications for such decisions, and the implementation status of those controls deemed as applicable, but you can document implemented controls that are not part of the ISMS scope in the SoA as a good practice (ISO 27001 requirements do not prohibit this).

This way you will have a centralized information source about all implemented controls you have, even if they are not implemented in the ISMS scope. This can be useful, for example, if in the future you need to include such controls in the ISMS scope (you will have quick information about what you already have).

You only need to pay attention to ensure that the situation of the control as not part of the ISMS scope is perfectly clear in the justification. For example:
"Program source code is not in the ISMS scope, however, this control is tracked in the SoA as a good practice, to keep a centralized database of the organization's applied controls."

This article will provide you a further explanation about SoA:

• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

Activity strategy document

Please note that this template is an appendix, developed to define how all the necessary resources for a critical activity will be recovered. The potential disruptive incident scenarios are documented in its main document, the Business Continuity Strategy, section 3.2 - Risk management (this is one of the documents you already have)

To see how the description of a disruptive incident looks like, I suggest you take a look at the free demo of our Examples of Disruptive Incident Scenarios at this link: https://advisera.com/27001academy/documentation/examples-of-disruptive-incident-scenarios/

ISO 27001 controls

The main rules here are:

• you need to have clear objectives for the controls
• the controls' objectives need to support relevant business objectives
• responsibilities must be clearly defined (usually through policies and procedures)
• people must have the proper competencies (usually through awareness, training, and education)

With clear control objectives, you will know which resources you need, where to apply them, who needs to be involved, and when adjustments are needed, avoiding low performance and waste. However, this is only half of the way.

With clear links between control objectives and business objectives, you can easily demonstrate to top management that the information security effort is paying off.

With clear responsibilities people will know what is expected from them, focusing on activities that add value to the business, and avoiding unrelated activities.

Finally, with proper competencies, the personnel will be more engaged with information security (they will know why is important to do what they have to do and how to perform such tasks)

These articles will provide you a further explanation about security objectives:

• ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
• Key performance indicators for an ISO 27001 ISMS https://advisera.com/27001academy/blog/2016/02/01/key-performance-indicators-for-an-iso-27001-isms/

Accreditation for ISO 9001

First, the word is certification not accreditation. Organizations are certified according to ISO 9001 by certification bodies. Certification bodies are accredited by accreditation bodies according to ISO/IEC 17021-1.

So, after implementing a quality management system (QMS) an organization may decide to get certified. There are several certification bodies available. Organizations select three or four and send a request for quotation and select the one that best suits the requirements. Please check these two articles:

• How to choose a certification body - https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
• How should you pick an ISO 9001 certification body? - https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

After reaching an agreement and signing a three year contract, your organization and the certification body set a date for an audit, a certification audit. Please check these articles:

• How to prepare your company for the ISO 9001 certification audit - https://advisera.com/9001academy/03/how-to-prepare-your-company-for-the-iso-9001-certification-audit/
• What questions to expect on the ISO 9001 certification audit - https://advisera.com/9001academy/blog/2016/04/19/what-questions-to-expect-on-the-iso-9001-certification-audit/

After the certification audit an audit report is issued and if an organization has nonconformities it has to treat them. After getting the certification, the organization will have yearly surveillance audits to verify compliance and improvement of the QMS. Please check this article:

• What is an ISO 9001 surveillance audit? - https://advisera.com/9001academy/blog/2016/10/18/what-is-an-iso-9001-surveillance-audit/ 

Please check more information about ISO 9001 below:

• Article – Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
• Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• ISO 9001:2015 Documentation Toolkit - https://advisera.com/9001academy/iso-9001-documentation-toolkit/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

Destruction of printed confidential data

ISO 27001 and GDPR give no unique solution on how to dispose of your printed documents. ISO 27001 requires classifying documentation and you can implement different procedures depending on the information incorporated in the printed document. Is there any confidential information? Are you dealing with a particular kind of personal data under Article 9 GDPR? Do the printed documents contain no personal information or anonymized information? The solution can be different.

Any disposal should comply with your data retention policy and data protection policy in order to avoid accidental destruction of documentation which is considered a data breach because of its impact on the integrity of data.If you decide to appoint an outside company, you need to check their compliance with GDPR requirements and other quality standards such as ISO 27001 and the recycling process. Under GDPR you should make a data processing agreement with your supplier because the outside company will process (through destruction) data on your behalf.

Here you can find some useful information on printed documentation under ISO 27001

• Why is ISO 27001 applicable also for paper-based information? https://advisera.com/27001academy/blog/2019/01/21/why-is-iso-27001-applicable-also-for-paper-based-information/  
• Secure equipment and media disposal according to ISO 27001: https://advisera.com/27001academy/blog/2015/12/07/secure-equipmentand-media-disposal-according-to-iso-27001/
• 5 practical tips for media disposal according to ISO 27001: https://advisera.com/27001academy/blog/2018/10/22/5-practical-tips-for-media-disposal-according-to-iso-27001/  

Our template of Supplier Data Processing Agreement may be of help:https://advisera.com/eugdpracademy/documentation/supplier-data-processing-agreement/  

You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

If you need more information, you can also consider enrolling in this free online training ISO 27001 Foundations Course: https://advisera.com/training/iso-27001-foundations-course/ 

Process capability

To understand the acceptance values ​​of the process capability, the first thing to look at is customer-specific requirements. Apart from this, according to AIAG PPAP revision, 4 manual published by Ford, GM, DaimlerChrysler on 1st of June 2016, the acceptance criteria were determined as follows.

For more information please to read the following article:

Risk register

Possible threats to this scenario related to employees are:

• Conflict of interest - in case the project objective may not be beneficial for one of the departments
• Unauthorized access to information - access rights granted to evaluate the project data may grant access to information not related to the project
• Leakage/disclosure of information - people from the departments nor directly related to the project may have access to the project data

This article will provide you a further explanation about security in projects:

• How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/

GDPR and Data Subject Request flow

Article 12 GDPR contains most of the data subject request flow. It requires that data controller to:

• Make easy exercising the rights for data subjects (authomatic setting in user's page on a website can be an example, or unsubscribe bottom);
• Provide on a request as soon as possible and within one month from the request.
• Allow electronic means as form of exercise data subjects rights instead of other means (i.e. postmail)
• Remember to illustrate in your privacy notice how to exercise data subjects right. 

The responsibility for complying with data subject rights is on the data controller and note that fines for noncompliance are the highest (up to 20 million Euro or 4% annual turnover if higher). Therefore, you must ensure that your staff is trained in complying with data subject rights.

You should set rules in your internal procedures on data subject rights. Here you can find some useful templates:

GDPR Consent & Data Subject Rights Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-consent-data-subject-rights-toolkit/ 

Here you can find the free EU GDPR Data Subject Access Request Flowchart: https://info.advisera.com/eugdpracademy/free-download/eu-gdpr-data-subject-access-request-flowchart 

Here is the text of the Article 12 from GDPR: https://advisera.com/eugdpracademy/gdpr/transparent-information-communication-and-modalities-for-the-exercise-of-the-rights-of-the-data-subject/  

You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//

Scope for ISO 27001

The ISMS scope can cover all organization, or only specific locations, processes, or information.

The main point when considering this approach is the effort required to keep the ISMS scope separated from the rest of the organization's elements (for small and mid-sized organizations many times the effort is not worthy, and it is better to include all the organization in the ISMS scope)

These articles will provide you a further explanation about the scope definition:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

Controls A.6.1.3 and A.6.1.4

1. How can the Organization be compliant with these Controls?

A.6.1.3:  Contact with Authorities:      Does it mean contact with the Superior Authority who is also the supreme body for GDPR?

In case your organization has to answer to this authority, then this is one way to fulfill this control. Other examples are law enforcement agencies and emergency services.

2. A.6.1.4:  Contact with Special Interest Groups:  Does having ISACA Memberships of some other Interest Groups are taken into consideration?

In case these groups can help you support your ISMS you can consider them to fulfill this control.

This article will provide you a further explanation about interested groups:

• Special interest groups: A useful resource to support your ISMS https://advisera.com/27001academy/blog/2015/04/06/special-interest-groups-a-useful-resource-to-support-your-isms/