Search results

Template content

These are two separate requirements.

The phrase about the e-mail message refers to business messages, sent through approved business channels. The phrase about the message on a message exchange system refers to personal messages posted on non-business channels.

Please note that sometimes, when people know where you work, comments posted on social media can be interpreted by others as your organization's point of view. That's why many organizations have internal rules orienting their employees to not make comments related to work (in most cases if you want to include your organization in your timeline, organizations suggest you share organization's posts). These suggestions are not requirements of ISO 27001, but good practices. You can decide for yourself whether to apply this or not. 

Developing documents

To see how documents which cover the requirements you mentioned, considering ISO 27001, looks like, I suggest you to take a look at these free demos:

• Management commitment, roles, responsibilities, and authorities: Information Security Policy https://advisera.com/27001academy/documentation/information-security-policy/
• Competence and awareness: Training and Awareness Plan https://advisera.com/27001academy/documentation/training-and-awareness-plan/
• Control of documented information: Procedure for Document and Record Control https://advisera.com/27001academy/documentation/procedure-for-document-and-record-control/

Please note that ISO 27001 and ISO 22301 does not require Context of organization and Business continuity strategy to be documented, but as a good practice you can use this template for Business continuity strategy:

• Business Continuity Strategy https://advisera.com/27001academy/documentation/business-continuity-strategy/

These articles will provide you further explanation about developing documents:

• How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
• How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
• How to demonstrate resource provision in ISO 27001 https://advisera.com/27001academy/blog/2017/04/10/how-to-demonstrate-resource-provision-in-iso-27001/

Regarding answers to requirements in audits, the documents themselves, and the presentation of any records listed in these templates will help you succeed in the audit.

These articles will provide you information about preparing for audits:

• Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
• Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/

ISO 20000 vs ISO 9001

A Service Management System (SMS) based on ISO/IEC 20000-1uses more detailed and industry-specific requirement. Yes, we can argue that same requirements are also included in the ISO 9001:2015 QMS - although with a more generic approach i.e. on higher level. So, if you want to manage your services, SMS is right „tool“ for you.

See comparison of both standard sin this free whitepaper (please note, it's written for 2011 revision of the ISO 20000-1 standard – but it will give you good idea): ISO/IEC 20000-1:2011 vs. ISO 9001:2015 matrixhttps://info.advisera.com/20000academy/free-download/iso-iec-20000-1-2011-vs-iso-9001-2015-matrix

Roles and Responsibilities document

Ignore this question, I found the answer here: 

https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

BIA and RTO

1. How to determine RTO? It is clear for MTPD.

The RTO is defined after you cross-examine MTPD between different interdependent activities - in some cases, RTO will remain the same as MTDP, and in some cases (where the related activity requires a quicker recovery) it will be lower.

2. Who determines RTO? Department responsible for critical activities or Department responsible for resources supporting critical activities (IT, logistics, …)?

The RTO is related to business needs, so the responsible for the impacted activity must be the one to define the RTO, but is important that this person consults the responsible for supporting resources, to find the best balance between business needs and available resources (the smaller the ROT, the more resources you will need).

3. About your example during the webinar, if RTO of IT is 8 hours and RTO of one critical activity is 4 hours and this one depends on IT. So which RTO will be considered?

When considering the interdependency of activities, you always need to consider first the RTO related to the business activity. In the example, since the RTO of the critical activity is 4h, this one must be the RTO to be considered (in case you consider the RTO for IT, the critical activity will not be recovered in a proper time).

For more information, please read the following article:

• How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
  
  

Procedure for Document and Record Control

If documents created by an employee and sent directly to the client without the approval of another person of the organization is an acceptable risk to your organization, then you can include an "exception" in this section like:

"Except for client project work documents, all other documents regardless of whether they are new documents or new versions of existing documents must be approved by [job title ]. Client project work documents are considered approved by the employee who has created/reviewed it."

Please note that as a good practice for projects, the project manager should review/approve the documents, since they will be sent to the client. 

Cyber-attack contingency plan template

Unfortunately, we do not have a specific cyber-attack contingency plan. Our templates are provided as a general basis for the development of specific contingency plan scenarios, so you can use them to define the activities, resources, and responsibilities required to be a contingency for a cyber-attack.

Please take a look at these free demos to see how contingency plan looks like:

• Business Continuity Plan https://advisera.com/27001academy/documentation/business-continuity-plan/
• Disaster Recovery Plan https://advisera.com/27001academy/documentation/disaster-recovery-plan/

This article will provide you further explanation about developing a BCP and a DRP:

• Business continuity plan: How to structure it according to ISO 22301 https://advisera.com/27001academy/knowledgebase/business-continuity-plan-how-to-structure-it-according-to-iso-22301/
• How to define activities when implementing business continuity according to ISO 22301 https://advisera.com/27001academy/blog/2013/11/11/how-to-define-activities-when-implementing-business-continuity-according-to-iso-22301/

ISO 27017 certification process

My first question is about the formal process for a company to get certified ISO 27017 if it is already certified ISO 27001.
It is just about asking the audit provider to verify the additional questions and deliver the “statement of compliance.”? Or there is a certification that the company should conduct a proper and distinct audit to have it?

First, it is important to note that ISO 27017 is not a certifiable standard. What some certification bodies do is to "certify" against ISO 27017 during an ISO 27001 certification process, because ISO 27001 is the only certifiable standard in the ISO 27000 series.

Considering that, to be "certified" against ISO 27017 all you need to do is to include the applicable controls related to ISO 27017 in your Statement of Applicability (of course, as a result of performing the risk assessment and risk treatment process), update your risk treatment plan, implement required controls and notify your certification body about the changes (so it can adjust the certification/surveillance audits accordingly).

For further information, see:

• ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/

My second question is : Can a company say that it is certified for the information security management for the cloud computing services just with the ISO 27001/27002?

ISO 27001 has enough security controls to allow an organization to be certified considering cloud computing services in its ISMS scope. You only would need to include controls from ISO 27017 if your organization has specific requirements demanding the implementation of ISO 27017 controls (e.g., laws, regulations or contracts).

This article will provide you further explanation about ISMS scope:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

Regulatory requirements

If the company implements ISO 13485/10328, with our ISO 13485:2016 Documentation Toolkit the following requirements from the FDA will be met: quality management system described in 21 CFR 820, and reports of correction and removals described in 21 CFR 806. The following requirements need to be fulfilled in addition to our toolkit: registration described in 21 CFR 807, Unique Device identification described in 21 CFR 830 or electronic records and signatures described in 21 CFR 11.

For more information, please read the following article: 

How to use ISO 13485 to fulfill FDA regulatory classes for medical devices https://advisera.com/13485academy/blog/2017/09/14/how-to-use-iso-13485-to-fulfill-fda-regulatory-classes-for-medical-devices/

Correction vs corrective action

When you have a nonconformity, you need to eliminate it. A correction attacks the nonconformity, a correction focuses the defect, focus on what is wrong and tries to solve the situation. For example, through rework, through scrapping, through downgrading, through a discount with the customer to try to see if he or she agrees in receiving the wrong product.

After eliminating what is wrong, with the correction, one should evaluate the risk. How important is the nonconformity with its actual or potential consequences? What is the probability of recurrence, can it happen again?

If the risk is relevant a corrective action is needed. Corrective action is done after the correction and has another purpose, trying to eliminate the cause behind the non-conformity. When we do an effective corrective action, we eliminate or reduce the non-conformity frequency of recurrence. For example, changing a raw-material supplier in order to minimize production problems due to a raw material.

The following material will provide you information about corrections and corrective actions:

• ISO 9001 – Difference between correction and corrective action - https://advisera.com/9001academy/blog/2016/02/09/iso-9001-difference-between-correction-and-corrective-action/
• Check slide 17 in this free webinar on demand - Measurement, analysis, and improvement according to ISO 9001:2015 - https://advisera.com/9001academy/webinar/measurement-analysis-and-improvement-according-to-iso-9001-2015-free-webinar/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/ 
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/