Search results

Appendix_1_Risk_Assessment_Table - vs. - A.8.1_Inventory_of_Assets

 I have a question regarding asset list/inventory. We are creating the list of assets for the Risk Assessment and Risk Treatment process. Once that list is complete and we come up with threats and vulnerabilities for each, is there any need for a separate list of assets as in A.8.1 Inventory of Assets?

ISO 27001 does not prescribe how to built an Inventory of Assets, and normally a single inventory is sufficient when control A.8.1 is considered applicable, so if you do not have any other requirement (e.g., a law, regulation, or contract) demanding a separated inventory, you can keep a single inventory.

For further information, see:

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

I know that you have stated that "assets are not only the information in electronic and paper form, but also software, hardware, services, people, facilities, and everything else that provides value to an organization.", so I have a question on that as well:

Our company is using a consulting group that has an online tool for managing all records and policies, but it seems to define assets stictly as devices. Also, risks are listed separately and are linked only to "category type" not to a specific detail asset.

Unfortunately, I am not sure I understood your question entirely. Could you please clarify?

GDPR in software development and blockchain

This is a great and very useful answer, Alessandra! And right in time. My organization has decided to partake in the EBSI initiative (European Blockchain Service Infrastructure). Some people in the organization have a pilot node running, and this was done without consulting with the CISO & DPO and now questions are being raised. Particularly concerning how compatible blockchain can be with someone requesting his data to be rectified or deleted... as that is precisely one of the key elements of blockchain technology: you cannot delete things.

Your CISO and DPO raised the point of tension between GDPR and blockchain. The question is under discussion among Data Protection Authorities. Most depend on the kind of blockchain you are implementing (public, private, permissioned?). However, you need to make a Data Protection Impact Assessment and structure the project following the principle of privacy by design and privacy by default (can data be anonymized or encrypted? Can you store personal data off-chain?). You also need to make clear in your privacy notice that you are using blockchain in order to be transparent with your users and make them aware of the impact of their actions on their rights.

Then, the main suggestion arrived are:

• Avoid storing personal data on a blockchain. Make full use of data obfuscation, encryption, and aggregation techniques in order to anonymize data
• Collect personal data off-chain or, if the blockchain can’t be avoided, on private, permissioned blockchain networks.
• Consider personal data carefully when connecting private blockchains with public ones
• Continue to innovate and be as clear and transparent as possible with users.

Do you happen to have any references discussing this? The compatibility between GDPR and blockchain technologies?

You can find some information on blockchain and GDPR in these articles:

• The GDPR impact on blockchain development: https://advisera.com/eugdpracademy/blog/2019/06/10/gdpr-and-blockchain-how-do-they-impact-each-other/
• What do GDPR authorities say about blockchain? https://advisera.com/eugdpracademy/blog/2019/06/24/blockchain-gdpr-compliance-how-its-regulated-by-authorities/

Do you happen to know how to proactively integrate this technology into the ISO 27001 framework, as I'm sure the next ISO 27001 version will have to take it into account regarding security and privacy issues.

ISO 27001 can help you to implement risk assessment, identify vulnerabilities, and implement action required. You should use principles and guidelines provided to implement processes considering the particular structure of the blockchain.

You can find some useful information in our free whitepaper EU GDPR and how can ISO 27001 help? https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help 

Company only with manager/owner

ISO 45001 is applicable for any organization in any industry, so it can definitely be used by a company with a single owner/manager. The requirements are written to be descriptive but not prescriptive, meaning they tell you what needs to be done but not how to do it. So, you can perform the necessary processes with the employees you have, and in the best way for your organization.
For more information on what is included in the requirements, see our whitepaper: Clause-by-clause explanation of ISO 45001:2018, https://info.advisera.com/45001academy/free-download/clause-by-clause-explanation-of-iso-45001

ISO 9001 Internal Audit requirements

I believe that you can find an explanation in this free webinar on demand - How to perform an ISO 9001:2015 internal audit - https://advisera.com/9001academy/webinar/how-to-perform-an-iso-9001-2015-internal-audit-free-webinar-on-demand/

For example, on slide 9 we present the process:

Then, we develop each step.

You can find more information about the internal audits in following links:

• ISO 9001 – What is the ISO 9001 audit program, and how does it work? - https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/ 
• ISO 9001 Audit Checklist - https://advisera.com/9001academy/knowledgebase/iso-9001-audit-checklist/
• Free online training ISO 9001:2015 Internal Auditor Course – https://advisera.com/training/iso-9001-internal-auditor-course/
• Book -  ISO Internal Audit: A Plain English Guide - https://advisera.com/books/iso-internal-audit-plain-english-guide/
   

ISO representative responsibilities

ISO 9001:2015 no longer requires the role of an ISO representative. Many organizations continue to consider that function within their quality management system architecture. Once ISO 9001:2015 no longer mentions the ISO representative, each organization can design the set of authorities and responsibilities most suitable for their particular situation.

A classic is being responsible for liaison with certification body. Other responsibilities can be:

• Inform and guide the organization on quality issues;
• Promote customer focus;
• Manage quality meetings;
• Review the Quality Manual;
• Coordinate the audit process;
• Gather resources in order to maintain and improve the QMS; 
• Define quality indicators; 
• Follow up on the goals established for the various indicators; 
• Identify and participate in the analysis of non-conformities, proposing and promoting, when applicable, corrective / preventive actions with a view to continuous improvement.

You can find more information about the management representative in following links:

• What is the job of the quality management representative? - https://advisera.com/9001academy/knowledgebase/what-is-the-job-of-the-quality-management-representative/
• What will be the destiny of the management representative in the new ISO 9001:2015? - https://advisera.com/9001academy/knowledgebase/what-will-be-the-destiny-of-the-management-representative-in-the-new-iso-90012015/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

BCP and DR: ISO 22301

The BCMS scope should include all departments that can affect your organization's capability to deliver your products and/or services. For example, in a beverage industry, the logistics department plays a crucial role in delivering the products, so it should be considered in a BCMS implementation. The same applies to air traffic control activities for airports. So, you should consider your business products and/or services nature, and how your departments impact them, to identify which departments should be included in the BCMS scope.

These articles are related to ISMS but can provide some tips about defining a BCMS scope:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
• How to define activities when implementing business continuity according to ISO 22301 https://advisera.com/27001academy/blog/2013/11/11/how-to-define-activities-when-implementing-business-continuity-according-to-iso-22301/

These materials will also help you regarding BCMS scope definition:

• Book Becoming Resilient, The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/ 
• Free online training ISO 22301: An overview of the BCM implementation process https://advisera.com/27001academy/webinar/iso-22301-overview-bcm-implementation-process-free-webinar-demand/

Management review meeting

I suppose you are the quality manager. Let us focus on ISO 9001:2015 clause 9.3.

Clause 9.3.1 is about the purpose of the management review (slide 8)

Management review is more than a meeting it is a process (slide 9)

Who participates? Top management and managers (slide 10)

Clause 9.3.2 is about the inputs to the management review (slide 11) – each participant has first-hand knowledge about specific topics and can be responsible for leading the conversation about decisions and actions about that topic.

Please check this free webinar on demand where all these topics are treated - How to perform management review according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/how-to-perform-management-review-according-to-iso-9001-2015-free-webinar-on-demand/

You can find more information about management review in the following links:

• How to make Management Review more useful in the QMS - https://advisera.com/9001academy/blog/2014/01/21/make-management-review-useful-qms/ 
• How to Make Management Review More Practical - https://advisera.com/9001academy/blog/2013/12/10/make-management-review-practical/ 
• ISO 9001 document template: Procedure for Management Review - https://advisera.com/9001academy/documentation/procedure-management-review/ 
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/ 
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

Quality Records

Thank you.

Communication matrix

Your organization, with ISO 9001:2015 clause 4.2, determined relevant interested parties and their relevant requirements and/or expectations. So, considering those relevant interested parties, your organization should determine what needs to be communicated to each party (internal or external) in terms of the quality management system. For example, your organization may want to communicate process performance to employees, or quality test results to clients or environmental information to the local community. For each “what to communicate” your organization should plan (I use a table):

• when to communicate – once per month? once per year? Every quarter? 
• to whom communicate – clearly state who will be the recipients of communication 
• how will you communicate? – a newsletter? An internal meeting? An e-mail? A press release? An internal report? A blog post?
• who will communicate? – Which function or functions will be responsible for the communication?

The following material will provide you information about communication:
- Communication requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2016/11/01/communication-requirements-according-to-iso-9001-2015/
- You can enroll for free in this ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

BC Plan

Do I need to edit the same BC strategy document and add BC strategy for a new business unit or can I create a new BC strategy document for each department?

ISO 22301 does not prescribe how documents need to be developed, so organizations are free to develop them as best to fulfill their needs.

You can create a new BC strategy document for the new department, but you should evaluate if the effort to review and maintain two separate documents are worthy.

Both single and separated documents are accepted approaches. A single document is better to centralize strategies and make systemic review easier, but it can become too big and complex document to handle, while separated documents are easier to handle, but increases the administrative effort to review and maintain them.

A mixed approach would be to create a document with parts that are common for all strategies and then create separate documents with only the specifics of each department.

This article will provide you an idea about developing one o several documents:

• One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/

This material can also help you with the business continuity strategy:

• Developing the business continuity strategy according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/developing-the-business-continuity-strategy-according-to-iso-22301-free-webinar-on-demand/

Do I need to write the workaround of the processes/activities which I recognize in BIA conducted with the departments, in the BC plan?

I'm assuming that by "workaround" you mean a temporary fix to be used as a bypass of a recognized problem.

ISO 22301 requires you to create strategy/solutions and BC plans based on the BIA results - therefore, this should not be a workaround, rather it should be the update of those documents (if you already have them).

These articles will provide you an idea about developing BCPs:

• Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
• How to write business continuity plans? https://advisera.com/27001academy/blog/2010/04/08/how-to-write-business-continuity-plans/

This material can also help you with the business continuity plan:

• Writing a business continuity plan according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/

Can I have a single document of both the BC strategy and plan in a single document for each business unit?

This is acceptable considering compliance with ISO 22301, but during a disruption, you will need rather short and clear documents to execute (i.e. the BC plans), and if such documents also include the BCP strategy they will become unnecessarily complex and will be difficult to execute.  

Additionally, you also should evaluate if the effort to review and maintain two separate documents is worthy, and sometimes the business continuity strategy contains sensitive information that should not be shared together with the BCP document.