Search results

Internal Audit - choice of auditor

ISO 27001 does not prescribe who the internal auditor should be, so both approaches for choosing the internal auditor are acceptable.

You can train your employees to get the competence in ISO 27001 internal auditing to perform this job. If this person works in the department that needs to be audited, to avoid conflict of interest you can train the second auditor that will audit only this department where the first auditor performs his/her regular job.

This article will provide you a further explanation about performing an internal audit:

• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

These materials will also help you regarding performing internal audit:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
• ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

Business Continuity Policy 22301

1. I'm reading the Business continuity Policy according to ISO 22301; I Don't understand why it is written, "Because in many cases the executives have no idea how business continuity can help their organization, which means they won’t be particularly interested in supporting the business continuity effort in their company."
How it can be possible?

I'm assuming you are referring to the article "The purpose of Business continuity policy according to ISO 22301" https://advisera.com/27001academy/blog/2013/06/04/the-purpose-of-business-continuity-policy-according-to-iso-22301/

Considering that, in the article's context, the statement means that very often executives do not understand the basics of business continuity, and they do not need to, because their jobs are focused on profit, market share, client satisfaction, cost-cutting, business strategy, and business risks, not in understanding disaster recovery site, business continuity plans, etc.

This situation makes the business continuity policy important: it makes executives stop to focus on business continuity, to understand the minimum they need to make proper decisions, and to make a formal and written statement about the importance of business continuity for the organization, how they will handle it (in most cases, by designating a competent staff to do the work).

2. If they are not involved that plant will be closed?

Executives' involvement is essential for business continuity because they are the ones who define priorities and resources, and if they are not involved, or support the business continuity initiative, it will most probably fail, and the plant will be at real risk of closing if a disaster hits it.

For further information, see:

• ISO 22301 benefits: How to get your management’s approval for a business continuity project https://advisera.com/27001academy/knowledgebase/iso-22301-benefits-how-to-get-your-managements-approval-for-a-business-continuity-project/

8.1 Operational planning and control

In fact, the Project Plan and all templates in the toolkit can be used to fulfill this requirement, since some of them define what must be carried out (e.g., policies and procedures), and others record needed requirements (e.g., Specification of Information System Requirements), performed tasks (e.g., Internal Audit Report) and achieved results (e.g., Management review minutes)

This article will provide you further explanation about document management:

• Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

This material will also help you regarding document management:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

BCP and DR

BCP is wider than a DR. BCP aims to ensure the business continues to operate after a disruptive event, while the DR aims to handle the impacts at the affected area and bring operations back to normal conditions.

ISO 27001 aspects on business continuity process (section A.17 from ISO 27001 Annex A) are related to ensuring the availability of information and information systems during either crisis or disaster situations, so a full Business Continuity Plan is not mandatory for this standard, and you will only need the DR template included in your toolkit.

These articles will provide you further explanation about BCPs and DRPs:

• Disaster recovery vs Business continuity https://advisera.com/27001academy/blog/2010/11/04/disaster-recovery-vs-business-continuity/
• What to implement first: ISO 22301 or ISO 27001? https://advisera.com/27001academy/blog/2017/04/03/what-to-implement-first-iso-22301-or-iso-27001/

Is there any process flow chart available that can be used for an audit process?

Unfortunately, we do not have a flow chart document available for performing an ISO management system audit, but the main steps you should consider are:

• Document review
• Creating the checklist
• Planning the main audit
• Performing the main audit
• Reporting
• Follow up

This article will provide you further explanation about performing an audit:

• How to make an Internal Audit checklist for ISO 27001 / ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

Questions about risk

Thank you

Product requirement Review record

It is absolutely OK not to make this record until you know that this is a more solid contact with potential customers. With this approach, you will fulfill the necessary requirement and be in compliance with ISO 13485:2016. 

For more details on complying with the latest changes in ISO 13485 clause 7.2.3 Communication, see the following link

Data Integrity

ISO 27001 makes use of a systematic management approach to help organizations:

• identify information security risks that can promise information confidentiality, integrity or availability (based on their context, objectives and interested parties needs)
• define proper controls to treat relevant risks (based on controls from Annex A, as well as from other sources of controls if needed), and expected information security performance results (i.e. information security objectives)
• periodically evaluate information security performance
• implement corrections and/or improvements based on achieved results

Regarding controls specifically related to protection of information integrity, these are some examples:

• A.10.1 Cryptographic controls
• A.12.5.1 Installation of software on operational systems
• A.9.4.4 Use of privileged utility programs 
• A.12.1.2 Change management

These articles will provide you further explanation about ISO 27001:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
•  Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Retaining personal information

I was trying to find the key stakeholders under GDPR. GDPR doesn't set a timeline on how long you must retain personal information of an employee, but what if we want to hold some of their information for auditing purposes, will this be allowed?

GDPR does not set any timeline about data retention because the needs may vary according to the kind of personal data are processed. You need to remember that any personal data must be processed under the principles listed in article 5 GDPR (data minimization, in particular). In some cases, Member States’ legislation may set obligation to keep documentation (i.e. bookkeeping records), so you need to verify first if any internal regulation requires you to retain your employees' personal data for a certain period of time. If you want to process data for auditing purposes you need to specify it in your employees’ privacy notice. 

Here you can find some information:

Who are the key stakeholders in a GDPR compliance project? https://advisera.com/eugdpracademy/blog/2018/09/24/who-are-the-key-stakeholders-in-a-gdpr-compliance-project/How the GDPR could impact your HR department https://advisera.com/eugdpracademy/blog/2018/02/22/how-the-gdpr-could-impact-your-hr-department/Is consent needed? Six legal bases to process data according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/Contents of the Data Protection Policy according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/contents-of-the-data-protection-policy-according-to-gdpr/

You can also consider enrolling in our free EU GDPR Foundation course: EU GDPR Foundations Course

Configuration management process

Thanks for the clarification, it is informative.