Search results

ISO 27001 certification process

1. I am currently in the process of trying to get our company ISO 27001 certified. That being said, after going through your toolkit and getting all the document and policies in place, what would be our next step?

After the implementation of documents and controls, you need to make sure that everyone in the company is complying with ISMS documents, i.e. performing all the activities prescribed there.

These articles will provide you further explanation about the implementation process:

• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
• Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

2. Who is it that certifies us that we are ISO 27001 certified and provides the certification?

Organizations that issue certification are called certification bodies (a person cannot certify an ISMS), and a proper certification body must select according to your needs.

These articles can provide you further information:

• How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
• Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/

3. I also see that you have a course for lead auditor, what is the benefit of this certification?

The lead auditor course is recommended for those who want to work as a certification auditor for a certification body. For those who only want to audit his/her own certification, the internal auditor course is a better option.

This article will provide you a further explanation about the Lead Auditor course:

• What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
• ISO 27001 Internal Auditor training – Is it good for my career? https://advisera.com/27001academy/blog/2016/03/29/iso-27001-internal-auditor-training-is-it-good-for-my-career/

This material can also help you:

• ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

ISO 27001 and SIEM

I would like to address the issue of how to integrate ISO 27001 with the implementation of a SIEM, that is, I have clear some concepts and some existing relationships, but I would like to better base this integration and learn more about ISO 27001 to be able to relate it.

A Security Information and Event Management (SIEM) is a software or service which combines security information management (SIM) and security event management (SEM), providing real-time analysis of security alerts generated by network hardware and applications.

ISO 27001 is a set of requirements to plan, implement, operate and improve an Information Security Management System. It is composed by a set of requirements for information security management (section 4 to 10), and a set of controls (Annex A), which can be used to treat relevant risks.

Considering these definitions, you can understand SIEM as an implementation way for some controls from Annex A (primarily those from sections A.12.4 Logging and monitoring, A.13.1 Network security management, and A.16 Information security incident management).

A proper integration between ISO 27001 and SIEM is ensured based on the results of risk assessment and risk treatment, were relevant risk are identified and treated by the application of controls defined in the above-mentioned sections.

This article will provide you further explanation about ISO 27001 security controls:

• Logging and monitoring according to ISO 27001 A.12.4 https://advisera.com/27001academy/logging-according-to-iso-27001/
• How to manage network security according to ISO 27001 A.13.1 https://advisera.com/27001academy/blog/2016/06/27/how-to-manage-network-security-according-to-iso-27001-a-13-1/
• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

These materials will also help you regarding ISO 27001:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Risk Analysis

First you need to define the risk management team. The next step is to define the risk management plan and select the methodology for risk assessment. Most use methodology is FMEA (Failure mode and effects analysis), but of course, you are free to use any methodology that you find applicable, and that covers all aspects of SO 14971:2019 Medical devices — Application of risk management to medical devices. After you define your methodology, you execute risk management. According to the ISO 14971:2019 following steps must be covered: risk identification, risk estimation, risk evaluation, implementation of risk control measures and estimation of residual risks. 

For more details, please see the following article:

Our Premium toolkit has step-by-step guidance on how to perform risk management processes, how to perform identification, evaluation, and addressing of risks that arise from design and development, production and service delivery, sterilization, and post-delivery processes. Also, in our Toolkit is described which persons need to be involved according to their role in the organization. Recommended technology is FMEA (Failure mode and effects analysis). All reports required by new ISO 14971:2019 Medical devices — Application of risk management to medical devices are prepared so that you can totally be in compliance with the state-of-the-art.  When you buy the Toolkit and start to implement documents, you have a one-hour free talk with the consultant, so for any other doubts, you are free to request a call with an expert.

Risk assessment process

Considering the most common steps for implementation of ISO 27001, the following mandatory documents must be available before risk assessment starts:

• Scope of the ISMS (clause 4.3)
• Information security policy and objectives (clauses 5.2 and 6.2)

The risk assessment and risk treatment methodology is not a mandatory document (the standard only requires the process to be defined and implemented), but it is considered a good practice to have the methodology documented.

The Scope will define which assets and/or processes are included in the ISMS, which is the base for doing the risk assessment. The Information security policy will define basic responsibilities. 

This article will provide you a further explanation about implementation steps:

• List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ 
• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding implementation steps:

• Preparations for the ISO Implementation Project: A Plain English Guide https://advisera.com/books/preparations-for-the-iso-implementation-project-a-plain-english-guide/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Sign-offs on procedure

One should consider two topics: authority and implementation effectiveness.

ISO 9001:2015 requires that documents belonging to a quality management system have to be approved by an authorized role. Having just a signature evidencing approval by an authorized role is enough. ISO 9001:2015 does not require elaboration and verification signatures.
A good implementation practice, to avoid resistance and/or mistakes, is to ask departmental participation during the development of a procedure.
 

The following material will provide you more information about document control:

- Some tips to make Document Control more useful for your QMS - https://advisera.com/9001academy/blog/2014/05/20/tips-make-document-control-useful-qms/
- How to structure quality management system documentation - https://advisera.com/9001academy/knowledgebase/how-to-structure-quality-management-system-documentation/
- List of mandatory documents required by ISO 9001:2015 - https://advisera.com/9001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-90012015/
- Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Managing ISO Documentation: A Plain English Guide - https://advisera.com/books/managing-iso-documentation-plain-english-guide/
 

Analyzing implemented standards

ISO 9001:2015 and ISO 14001:2015 are two standards among many other ISO standards. To confirm, please check the certificates, there you can confirm the standards identity.

The following material will provide you more information about those standards:

- What is ISO 9001? - https://advisera.com/9001academy/what-is-iso-9001/
- What is ISO 14001? - What is ISO 9001? - https://advisera.com/14001academy/what-is-iso-14001/
- Six Key Benefits of ISO 9001 Implementation - https://advisera.com/9001academy/knowledgebase/six-key-benefits-of-iso-9001-implementation/
- 6 Key Benefits of ISO 14001 - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/6-key-benefits-of-iso-14001/
- Free webinar on demand - Overview of ISO 9001 implementation steps - https://advisera.com/9001academy/webinar/overview-of-iso-9001-implementation-steps-free-webinar-on-demand/
- Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
- Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

RTO and MAO

 Considering ISO 22300 vocabulary (which can be found here: https://www.iso.org/obp/ui/#iso:std:iso:22300:ed-2:v1:en)

• MAO: maximum acceptable outage, the time it would take for adverse impact to become unacceptable
• RTO: recovery time objective, the period of time following a disruptive event within which operation is resumed, or resources are recovered.

Considering these definitions, the RTO value only makes sense if it is smaller than MAO, so RTO cannot be greater than MAO.

In fact, there is a note for RTO in the standard defining this relation: the recovery time objective is less than the time it would take for the adverse impacts to become unacceptable.

For further information about RTO, see:

• What is the difference between the Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/

2016 version vs 2018 version

There does not seem to be a difference in the requirements these two standards, as both are equivalent to AS 9100 Rev D. There may be some changes in the appendix information because the transition period for AS9100 Rev D is over, but this does not change any requirements for the QMS.
You can learn more about the AS9100 standard, see the whitepaper: Clause-by-clause explanation of AS9100 Rev D, https://info.advisera.com/9100academy/free-download/clause-by-clause-explanation-of-as9100-rev-d
For help implementing the standard, our book may be useful: Applying AS9100 Rev D, https://advisera.com/books/applying-as9100-rev-d/

Risk Assessment software

Small and medium-size companies in most cases do not have a big number of risks to justify the use of software for risk assessment, and the features of a spreadsheet are sufficient to perform the process.

For risk assessment and treatement you can use the following templates in your toolkit:

• Risk Assessment and Risk Treatment Methodology
• Appendix 1 – Risk Assessment Table
• Appendix 2 – Risk Treatment Table
• Appendix 3 – Risk Assessment and Treatment Report

These documents are located on folder 10 - Risk Assessment and Risk Treatment.

Parental information

First of all, consider that the data process of minors is lawful under GDPR when the child is at least 16 years old. Under the age of 16 years old, you will require their parent consent (in such case, you can have access to their parents’ email).According GDPR, you can require parents' email but you cannot use it for marketing activity without their consent.

In fact, you need to consider that for targeted marketing activity the GDPR requires the consent of the targeted person so that children and parents need to flag the box wishing to receive your advertising.

In such form, to be GDPR compliant, you should ask for consent from prospective students and/or parents, also adding a box to flag for marketing purposes. You should inform them about the data process in your privacy notice.

For more information, please see these materials:

•  How does GDPR impact marketing activities?: https://advisera.com/eugdpracademy/blog/2018/02/08/how-does-gdpr-impact-marketing-activities/
• Email marketing in the era of GDPR – How to ensure compliance?: https://advisera.com/eugdpracademy/blog/2019/05/27/gdpr-and-email-marketing-rules-for-compliant-campaigns/
• How does GDPR affect digital marketing? https://advisera.com/eugdpracademy/blog/2019/02/20/how-does-gdpr-affect-digital-marketing/
• ART 8 GDPR: https://advisera.com/eugdpracademy/gdpr/conditions-applicable-to-childs-consent-in-relation-to-information-society-services/
• Everything you need to know about the GDPR Privacy Notice: https://advisera.com/articles/gdpr-privacy-notice-6-key-elements-to-include/
• EU GDPR document template: Parental Consent Form https://advisera.com/eugdpracademy/documentation/parental-consent-form/