Search results

Annex A

 It is not mandatory to implement all 114 controls of Annex A of ISO 27001:2013, you only need to implement those that you need to reduce risks identified during the risk assessment (or those that are related to law, contractual requirements, etc.).

This article will provide you further explanation about the selection of controls:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

These materials will also help you regarding ISO 27001:

• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Internal Audit

I'm assuming that by AVP you mean "Assitant Vice President".

Considering that, the person to approve the Internal audit must be the one in the highest position in the ISMS scope (i.e., the person most interested in the ISMS results). It should not be the person with responsibilities for the operation of information security (e.g., CSO or CISO) because this would be a situation of conflict of interest.

Logical return to work process

The return to normal operations is covered in the Business Continuity Plan, in section "4. Restoring and resuming business activities from temporary measures". This template is located in folder 07 Business Continuity Plan.

Regarding pandemic, we still do not have it covered in the templates, but next week we will announce a webinar on the topic: "How to use ISO 22301 to continue operations during the pandemic".

Software Development Security

1. Why ISO 27001 documentation toolkit from Advisera does not have a template for “Secure Development Environment Guidelines”?

Answer: Please note that ISO 27001 does not require a Secure Development Environment to be documented, and not many companies are asking for such a document, so we decided not to develop this template. You can document these guidelines as part of the Secure Development Policy, located in folder 08 Annex A Security Controls >> A.14 System Acquisition Development and Maintenance.

If you have access to ISO 27002 you can find guidance on how to Secure Development Environment. If you do  ot have access to this standard, I suggest you this link for some insight: https://advisera.com/27001academy/blog/2018/04/24/how-to-use-open-web-application-security-project-owasp-for-iso-27001/

2. We are a medium organization where we do limited development particularly customization of COTS software (Web Content Management {CMS} and Student Information Management {SIMS}). In this case how to analyze which A 14 controls will be applicable to our organization?

Answer: The applicability of controls is defined by performing the risk assessment and risk treatment processes, and by the identification of any legal requirement (e.g., laws, and contracts) applicable to your organization.

The templates for performing the risk assessment and risk treatment processes are located on folder 05 Risk Assessment and Risk Treatment, and templates for performing identification of legal requirements are located on folder 02 Identification of Requirements.

This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

These materials will also help you regarding risk assessment and risk treatment:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

Identification of environmental aspects vs Environmental risks & Opportunities

Let us start with ISO 14001:2015, clause 6.1.1. Organizations determine risks based on its environmental aspects, compliance obligations, and context and interested parties.

Determining risks and opportunities based on context and interested parties is straightforward. For example, an organization that manufactures plastic packaging can realize that consumers (an interested party) are pressuring governments to issue legislation (an external issue) about single use plastics. So, part of that company’s products will face a dark future. That’s a risk.

Please check risk definition (3.2.10) on ISO 14001:2015 (effect of uncertainty). With environmental aspects and impacts we are considering normal, expected situations, like startup and closing down operations, but also abnormal and emergency situations. Whenever there is uncertainty there is risk or opportunities, there is a potential deviation from the expected.

About determining risks based on environmental aspects and compliance obligations I see that different organizations follow different approaches:

1. There are organizations that determine their environmental aspects and use a risk and opportunities assessment to determine its significant environmental aspects. (Please see the end of the second paragraph of Annex A.6.1.1 of ISO 14001:2015)

2. There are organizations that determine their environmental aspects evaluate them and determine the significant ones and use a risk and opportunities assessment to determine which ones need an action plan, and which ones need only to be monitored.

3. There are organizations that only apply the risk-based approach to the context part. In a certain way they are following the same approach as 1 without explicitly mentioning it.

Let us present another example:

In this example the risk of not complying with wastewater discharging permit can be considered very low for normal situation, for normal operation, but very high for and emergency situation.

In the example above one of the risks, one of the possibilities, is an emergency due to a wastewater treatment unit malfunction. That malfunction can generate a negative deviation from the expected, can generate a discharge exceeding permit limits, increase river pollution, and generating more environmental aspects and impacts like neighborhood complaints.

• The following material will provide you information about risks and environmental aspects:
  ISO 14001 risks and opportunities vs. environmental aspects - https://advisera.com/14001academy/blog/2016/06/06/iso-14001-risks-and-opportunities-vs-environmental-aspects/
• Free webinar – How to implement risk management in ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-implement-risk-management-in-iso-90012015-free-webinar/
• Free online course - ISO 14001:2015 Lead Implementer Course - https://advisera.com/training/iso-14001-lead-implementer-course/

Business continuity in EU

Sorry to not be able to help you, but we are experts on the implementation of ISO management standards on small and mid-sized businesses, not on legal advice about countries laws and regulations or on BC of critical infrastructure of big organizations.

Maybe you can find the information you are looking for on these sites:

• https://www.thebci.org/
• https://drii.org/

Business continuity procedures

To cover ISO 27001 requirements for business continuity, it is sufficient to use the Disaster Recovery Plan template, located on folder 08 Annex A >> A.17 Business Continuity >> 04 Business Continuity Plan

In the list of documents file included in your toolkit, you can identify which documents are related to each clause of each standard.

ISO 27001 / ISO 22301 Disaster Recovery Plan

For use in a combined ISO27k/22301/GDPR implementation, you should consider using the 11.A.17_Disaster_Recovery_Plan_Integrated document. In case your environment has specific requirements for cloud environments (e.g., laws or contracts you must be compliant with)  you should consider the A.17_Disaster_Recovery_Plan_Cloud.