Search results

Asset Type in the Information Asset Inventory

The reason for not including the processes in the risk assessment methodology and templates is that we have based our risk assessment on the so-called "asset-based approach". This approach is the mainstream in the information security world because it provides the best balance between the precision of results and the amount of effort.

It is not recommended to mix assets with processes because this will only confuse things - the most optimal way is to go with asset-based approach. 

Therefore, you should only use the assets that your processes consist of. 

ISMS Scope

You should include in the scope all assets you control directly - i.e. you would include data for SaaS, or data and application software for IaaS. 

You'll find a more detailed explanation here: Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/ 

Applicability of A.10.1 Cryptographic Controls

If you are referring to SSL certificates, then control A.10.1.1 Policy on the use of cryptographic controls is probably applicable to you, while control A.10.1.2 Key management may not be applicable because you are not handling keys. 

But you primarily need to assess your risks, and analyze requirements to define which controls are applicable and which not. 

Here are a couple of helpful articles:

• How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/
• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ 

A6 Internal Organisation

If your question is about if you need to prepare a documentation for data breach, then from the perspective of ISO 27001 you do not need to do it because ISO 27001 does not require such documents. 

Depending on the country/state you are based in, such documents might be required because of local regulations - for example, EU GDPR requires you to have some documents for data breach, see this article: List of mandatory documents required by EU GDPR https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/

In this EU GDPR Toolkit you'll find all the required templates: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ 

Clause 5.4 consultation and participation of workers

When discussing consultation and participation of workers in clause 5.4 of ISO 45001, the standard refers to workers’ representatives, where they exist. So, the ISO standard is not dictating that you have workers’ representatives, or how you determine them. The reason for this is that the rules for worker representatives in laws around the world are very different, and you must turn to the local laws if you want a definitive answer on how many worker representatives you need and how you choose them.

If you do not have a legal requirement, and wish to put worker representatives in place anyway, then how you choose them needs to be determined by you, the ISO 45001 standard does not have any requirements around this. A general rule of thumb for setting your own rules would be to ask yourself “How many representatives do we need, and how should they be distributed across departments, so that the consultation of all workers can happen effectively?” Remember, the production department is not the only place with OH&S rules and hazards.

For more on implementing clause 5.4, see the article: How to meet participation and consultation requirements in ISO 45001, https://advisera.com/45001academy/blog/2016/03/16/how-to-meet-participation-and-consultation-requirements-in-iso-45001/

ISO 17025 for internal quality control laboratory

Certainly, we will guide you how to adapt the toolkit for your special circumstances - in the price of the toolkit, we include one-on-one consultations, document review, and unlimited email support - we will tell you which steps to take and what to pay attention to when implementing the standard.

The toolkit is suitable for any testing laboratory that is wanting to implement ISO 17025:2017 and seek accreditation, irrespective of whether they have external customers; or as in your case, are an in-house Quality Control laboratory, where the factory/manufacturing plant is your customer. In some ways it is simpler implementing for an inhouse laboratory, for example, meeting reporting requirements is easier.

Note that while we offer advice on using the ISO 17025 toolkit to implement your management system, as well on how to integrate the toolkit and ISO 17025 with other Management Systems you may have; the scope of the toolkit and our expertise is ISO 17025, not Food Safety (ISO 22000) or HACCP (Hazard Analysis and Critical Control Points) certification.

Here is a detailed description of the toolkit, you can also download the free demo: ISO 17025 Documentation Toolkit https://advisera.com/17025academy/iso-17025-documentation-toolkit/

COBIT, ITIL and ISO27001 comparison

Here are a couple of materials that can help you: 

• How to integrate ISO 27001, COBIT, and NIST https://info.advisera.com/27001academy/free-download/how-to-integrate-iso-27001-cobit-and-nist
• ISO 27001 vs. COBIT: A comparison https://advisera.com/27001academy/blog/2019/05/06/cobit-vs-iso-27001-how-much-do-they-differ/ 
• COBIT, ITIL and ISO 20000 – The main differences https://advisera.com/20000academy/blog/2019/09/25/cobit-vs-itil-vs-iso-20000-a-comparison/ 

ISO 22301 Base policy

If you are using our ISO 27001 / ISO 22301 Documentation Toolkit, you can find the ISO 22301 documents in the folder "08 Annex A Security Controls" - "A.17 Business Continuity" - there you will find the Business Continuity Policy, and ca 20 other business continuity documents. 

By the way, in the root folder of the toolkit you will find the "List of documents" which lists all the documents within the toolkit, as well as their folder location, and the related clause of the standard. 

BCM Manager tasks

To implement ISO 22301 you will need to follow the steps explained in this article: 17 steps for implementing ISO 22301 https://advisera.com/27001academy/knowledgebase/17-steps-for-implementing-iso-22301/22301/iso-22301/

These materials will also help you: 

• Set of required documents: ISO 22301 Documentation Toolkit https://advisera.com/27001academy/iso22301-documentation-toolkit/
• webinar Implementing Business Impact Analysis according to ISO 22301 https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar/ 
• webinar Developing the business continuity strategy according to ISO 22301 https://advisera.com/27001academy/webinar/developing-the-business-continuity-strategy-according-to-iso-22301-free-webinar/
• Writing a business continuity plan according to ISO 22301 https://advisera.com/27001academy/webinar/writing-a-business-continuity-plan-according-to-iso-22301-free-webinar-on-demand/

Implementation timeframe

The time for the implementation depends on the size of your company:

• Very small organizations (up 10 employees) usually implement the standard in up to 4 months
• Smaller organizations (up to 50 employees) usually implement the standard in 4 to 8 months
• Mid-size organizations (up to 500 employees) usually implement the standard in 8 to 12 months
• Large organizations (500 employees and more) – implementation usually lasts 12 to 15 months

You can find more details here: How long does it take to implement ISO 27001 / BS 25999? https://advisera.com/27001academy/blog/2011/11/08/how-long-does-it-take-to-implement-iso-27001-bs-25999/