Search results

Documentation hierarchy

ISO 27001 does not prescribe documentation hierarchy, so organizations can adopt the framework that best suits their needs.

Considering that, using ISO 10013 as a reference for documentation hierarchy is an acceptable approach.

Regarding the fact that ISO 10013:2001 is a withdrawn standard, unless you have specific requirements to adopt this version (e.g., customer requirement or law), you should consider using the 2021 version of the standard, because its requirements are better aligned with current versions of ISO management systems standards.

For further information, see:

• How to structure quality management system documentation https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/

• Does a company need to be ISO certified to present a Quality Manual?

  No, any company can prepare a quality manual. By the way, ISO 9001:2015 no longer mentions a quality manual.

  Please check these articles:

  • The future of the Quality Manual in ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/the-future-of-the-quality-manual-in-iso-90012015/
  • How to write a short, concise Quality Manual - https://advisera.com/9001academy/knowledgebase/writing-a-short-quality-manual/

• Information Security Policy Creation

  Examples of Information Security Objectives are:
  - decrease the impact and/or number of information security incidents by 30% in 12 months
  - increase revenue of service XYZ by 5% in 12 months
  - win a new customer in 6 months
  - increase market share by 3% in 12 months

  For further information, see:

  • ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

• Statement for logs retention periods regarding critical assets

  ISO 27001 does not prescribe retention periods for logs.

  To define proper retention periods, you need to perform a risk assessment and identify applicable legal requirements.

  In case your risk assessment and requirements do not provide a proper reference, you can try starting with a retention time of one year.

  For further information, see:

  • Logging and monitoring according to ISO 27001 A.12.4 https://advisera.com/27001academy/logging-according-to-iso-27001/

• Distributor vs Supplier quality agreement

  Quality agreement should be with the actual manufacturer because you need to be sure that the device is produced in accordance with ISO 13485 and MDR.  

• ISM Policy

  ISO 27001 does not prescribe which objectives to define, so you can use objectives related to your business strategy, to specific customers and regulators you must comply with. Additionally, you can also use more specific objectives related to security controls, security processes, etc.

  Some specific examples are:

  • win a new customer in 6 months
  • increase market share by 3% in 12 months

  For further information, see:

  • ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

  • Custom Control Creation

    Considering your stated situation (Having operating system software and databases that are at the end-of-support life cycle), suggested assets, vulnerabilities, and threats, with respective controls are:

    • Assets: “Operating systems” and “Database management systems”
    • Vulnerabilities: “Rules for software and its databases not clearly defined” and “Requirements for software development not clearly defined”
    • Threats: “Maintenance errors” and “Application error”
    • Controls: “A.8.25 - Secure development life cycle” and “A.8.8  Management of technical vulnerabilities”

    Please note that end-of-support is part of the retirement step of an asset life cycle management process (in this case, applied to assets operating system software and databases), and so it is an expected situation for IT operations.

    Considering that, the vulnerability, in this case, would be related to not knowing what to do by this time.

  • ISO 27001 certification

    a) Is it necessary for me to artificially amend the risk evaluation to achieve the 10% Unacceptable risks?

    First of all, sorry for this confusion.

    This message is intended for companies that are implementing ISO 27001 for the first time. Since you already have implemented controls that reduce risks to an acceptable level, you do not need to include additional risks if you do not need to.

    However, security risks are evolving very quickly, so it is likely that you do have some unacceptable risks that you did not record previously. It is recommended that you try to identify these new risks.

    b) Will the certification auditor not pass the certification audit if there is no risk treatment actions?

    Please note that risk treatment actions are needed only in case you have relevant risks to treat or want to make changes in existing controls (e.g., to update technologies or include improvements).

    Since it is likely that your company is facing some new risks, the certification auditor will want to see if you managed to identify them. If you can convince the auditor that there are certainly no new risks, then you will pass the surveillance audit.

     c) What is your recommendation?

    In your situation, recommendations are:

    • Regarding risk assessment, take this opportunity to review your risk assessment, because after the last assessment new risks may have risen that may require treatment
    • Regarding risk treatment actions, in case you do not have relevant risks to treat, try to look for improvement opportunities in implemented controls and document them as risk treatment actions. This will show the auditor a greater level of maturity of your ISMS.

    For further information, see:

    • Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment