Search results

Toolkit content

First of all, sorry for this confusion.

The documents from section A.18 are not missing from the toolkit. These documents are covered in the toolkit in folder "02 Procedure for identification of requirements”

Included in the toolkit there is a List of Documents file that shows which documents cover which clauses of the standard.

A.12.6.1 Management of Technical Vulnerabilities

Since patching involves changes in the environment, you should take a look at the Change Management Policy template include in your toolkit, on folder 08 Annex A Security Controls >> A.12 Operations Security, to see if it can fulfill your needs.

Regarding control A.12.6.1, there is no template covering this specific clause.

Please note that Advisera's ISO 27001 Documentation Toolkit does not have a document for each and every control from ISO 27001 because of the following reasons:

1. ISO 27001 does not require each and every control to be documented
2. If the toolkit had a document for each control, there would be too many documents, and this would be an overkill for smaller and mid-size companies.

Since our target are SMEs, we have decided to include an optimum amount of documents for companies of this size - the toolkit includes:

• All the mandatory documents - e.g. Information Security Policy, Statement of Applicability, Risk Assessment Methodology, Access Control Policy, etc.
• Documents that are not mandatory, but are commonly used - e.g. BYOD Policy, Classification Policy, Password Policy, Backup Policy, etc.

In case you identify you really need to apply control A.12.6.1, you can contact our support by email, or on scheduled online meeting (https://advisera.com/27001academy/consultation/), so one of our experts can help you on how to better evidence this control implementation.

For further information, see:

• How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/

Difference in clauses

Clauses 6.1.2 and 6.1.3 refers to the planning, and first application, of risk assessment and risk treatment ("The organization shall define and apply..."), while clauses 8.2 and 8.3 refers to subsequent application of the process ("(...) at planned intervals or when significant changes are proposed or occur, (...)").

Question about policy

1. Is there any document showing how to link policies? That is which policies are dependent on which policies?

First is important to note that ISO 27001 does not require such a document, and since the standard does not prescribe which policies should be developed, it is unfeasible to develop such a list in a general way.

Now, considering the documents of our toolkits, we develop them with a "Reference documents" section, to point which documents are related to each template, so you can use the information in this reference to build such a list.

For further information, see:

• 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

2. How to show risks of inadequate leadership in a nice way.

If the risks are related to missing documents required by the standard, like the information security policy, you can simply mention that the document is missing and the action of leadership is to ensure they are developed.

In case the risks are related to leadership behavior required by the standard, like promoting continual improvement, a good way to present such risks is to state that related requirements of the standard are not being "properly" followed. This way you can imply that leadership is doing something, that is better than state that they are doing nothing, but that what is being done is not enough to comply with the standard.

For further information, see:

• Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

Disaster recovery plan difference

1. Can you please advise what the difference is between the EN and the cloud documents (screenshot below)? The READ THIS FIRST does not explain. I checked the Table of Contents. Is it for different scenario’s depending on if existing systems are cloud-based or on-premise? Apologies but I thought it would save time to ask.

The difference between this is basic lay-out (no change in content). The EN version was designed as a single and independent document, while the cloud document is an annex from a main Business Continuity Plan document, so it does not have a cover page. This is the single difference.

2. Also, I can open the files on my personal computer but when I copy them to my organizations network, they won’t open even when I rename them They must be blocked by our own security filters.

A possible cause may be that the whole document name, including the path in the organization's network, has a number of characters that are above the maximum allowed by the operating system. To check if this is the cause, try to change the name of the file to a single character and then try to open it. If it opens then you should try to rename to a shorter name. If it does not open, please send the document to us for analysis.

Objective for certification the university

 If I understood correctly, you want examples of objectives related to ISO 22301 certification.

Considering that, the most common benefits for organizations which seeks certification against ISO management standards are:

• Enhanced competitive edge
• Reduction on losses due to security incidents
• Reduction on fines due to legal or contractual non-conformity
• Improvement of internal organization

To be more specific, it would be necessary to know the university context (e.g., main courses, students profile, location, etc.).

These articles will provide you further explanation about ISO 27001 benefits (the same concept applies to ISO 22301):

• Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/
• How to gain employee buy-in when implementing cybersecurity according to ISO 27001 https://advisera.com/27001academy/blog/2017/07/03/how-to-gain-employee-buy-in-when-implementing-cybersecurity-according-to-iso-27001/

Calculating uncertainty

You asked

Please help me in calculating uncertainty 

Advisera’s ISO 17025 toolkit guides you through the implementation of ISO 17025. The  ISO 17025 document template: Evaluation of Measurement Uncertainty Procedure and related Measurement Uncertainty Checklist and Measurement Uncertainty Record are available as part of the ISO 17025 toolkit; or as separate documents; to guide you in the process.

See the following expert advice answer on the topic, with links to available toolkits documents: https://community.advisera.com/topic/meas-of-uncert-budget-pipette/

You also asked

how can use uncertainty to evaluate the competence of the operators and also that the method is fit for purpose 

A complete discussion of measurement uncertainty is outside of the scope of the toolkit. Measurement uncertainty is a statistical measure, offering a range within which there is an equal probability of the result value lying, at a particular confidence. This uncertainty estimate is a combination of all factors that affect the variability of results, on method basis; so cannot be used directly to evaluate the competence of personnel performing the method. One way of evaluating the competence of the operators, is to analyse the variation of groups of results during or after validation.

To state that a method is fit for its intended purpose, means providing evidence that the method is sufficiently reliable, so that the method can be used with confidence for a client to make a decision; based on results provided. The performance of a method must be evaluated through validation, along with an evaluation of measurement uncertainty. Uncertainty of measurement comprises many components, over a period of time for methods that have many variables. Depending on the purpose of the method a suitably small uncertainty may have to be achieved for a method to be fit for purpose. Look to regulatory or sector guidelines on acceptable or target uncertainties.

The ISO 170252 toolkit and available toolkit documents are available for preview or purchase at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

ISO certification

Here are the four essential steps to becoming an ISO-certified business.

1-evelop your management system. Identify your core or business processes. ...2-Implement your system. Ensure procedures are being performed as they are described in your documentation. ...3-Verify that your system is effective. ...4-Register your system.

ISO 13485 implementation

It is best to make a GAP analysis between your current Quality Pharmaceutical System and requirements from ISO 13485:2016. 

For that step, the following documents can be helpful:

Manufacture of Hospital Beds

Harmonized standards that can be applicable to medical devices are listed on the following link: https://ec.europa.eu/growth/single-market/european-standards/harmonised-standards/medical-devices

In that list there is one standard applicable for hospital beds: EN 60601-2-52:2010 - Medical electrical equipment — Part 2-52: Particular requirements for basic safety and essential performance of medical beds.