Search results

Policy for secure development

Both adjustments can be made in your document, i.e., including reference to control A.14.1.1 in section 2 (reference documents), and add the Secure Development Policy as an implementation method for control A.14.1.1 in the SoA.

Procedure for measurement

ISO 27001 does not require a procedure for measurement, only evidence of the monitoring and measurement results. For this purpose, you can use the template Measurement Result, located in folder 11 - Management Result.

This article will provide you further explanation about monitoring and measurement:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/

RACI Matrix

Please note that the user's roles in a RACI Matrix must be defined according to specified activities (i.e., the same user may have different roles for different activities).

For example, if the activity is "communicate policy publication" users will have the role "informed", while the security officer, for example, will have the role "responsible" (he is the one to communicate the new policy).

If the activity is "follow policy", then programmers and system administrators will have the role "responsible", while the policy owner will have the role "accountable".

This article will provide you further explanation about RACI matrix:
- RACI matrix for ISO 27001 implementation project https://advisera.com/27001academy/blog/2018/11/05/raci-matrix-for-iso-27001-implementation-project/

Policy for use of cryptographic

I require advice on how cryptography policies should be documented. This to reach an ISO 27001 certification

To see how a policy for use of encryption compliant with ISO 27001 looks like, I suggest you to take a look at the free demo of our Policy on the Use of Encryption at this link: https://advisera.com/27001academy/documentation/policy-on-the-use-of-encryption/

The purpose of this document is to define rules for the use of cryptographic controls, as well as the rules for the use of cryptographic keys, in order to protect the confidentiality, integrity, authenticity, and non-repudiation of information.

This article will provide you further explanation about cryptographic policy:
- How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/

SOP and accreditation for testing method

We received these questions: 

1. We are initiating to get accreditation for ISO 17025:2017 for our laboratory, we are pharmaceutical company having all the related SOP's for ISO 9001:2015, etc. All the required SOP's related to laboratory working including testing procedure, calibration/qualification of equipment, validation of methods/qualification of personnel working in lab for their competency.etc. what you suggest we can get it done easily ?

Answer: This is a good question, as it is important to structure your documentation correctly, to make the process easier. The ISO/IEC 17025:2017 Documentation Toolkit will help you achieve this. The Diagram of ISO 17025:2017 Implementation Process provides the steps for you to follow for implementation and accreditation. As guided by the Toolkit, you will start by documenting the Quality Policy and Quality Objectives of your laboratory. The Project Plan for Implementation provides clear direction for you to specify individual project objectives, and plan what documents will be written by when. Knowing the ISO 17025 mandatory requirements and evaluating the risks and opportunities for the laboratory’s processes and procedures will help you focus and keep the documentation to the necessary minimum. You can incorporate all the existing ISO 9001:2015 SOP’s into your ISO 17025 quality management system. Make sure these are revised, if necessary, to include all ISO 17025 activities.

2. Is it required to get accreditation for each testing method perform in the lab? or just need to prove that we are working as a competent lab as all the tests performed under the required environment using qualified equipment by competent personnel.

Answer: Unless required by regulators or legislation, you do not need to include all your test methods. In fact, this is an important decision which must be made early on, as indicated in the Diagram of ISO 17025:2017 Implementation Process (Determine the Scope). The choice of tests will be driven by regulator, customer or market need. Many laboratories become accredited initially, with only a few test methods. You can always extend the scope later. It is important to be clear, however, that general claims of technical competency are not allowed. A laboratory can only claim that they are accredited to provide results using those methods or techniques listed on the accreditation certificate.

The following articles will provide more information:

• Checklist of ISO 17025 implementation steps https://advisera.com/17025academy/blog/2019/08/28/checklist-of-iso-17025-implementation-steps/
• List of mandatory documents required by ISO 17025:2017 https://advisera.com/17025academy/blog/2019/08/30/list-of-mandatory-documents-required-by-iso-170252017/

The links to the ISO 17025 Toolkit material are:

• ISO/IEC 17025:2017 Documentation Toolkit https://advisera.com/17025academy/iso-17025-documentation-toolkit/
• Project Plan template  hhttps://info.advisera.com/17025academy/free-download/project-plan-for-iso-17025-implementation 
• ISO 17025:2017 Implementation Diagram https://info.advisera.com/17025academy/free-download/diagram-of-iso-17025-implementation-process

Report of the change of the tax code

Unfortunately, this is not a GDPR matter. My advice would we, if you want to report a beach of tax law, you are free to do so.

Auditor costs

ISO auditors hourly rate varies significantly from country to country, and depending on the certification body they work for, so there is no definitive answer to this question.

In this IRCA survey, you can find that global average salary for an auditor is £38,031: https://www.quality.org/knowledge/salary-survey-reveals-how-much-more-irca-auditors-earn

But please note that audit costs involves other variables, such as costs with travels and certification bodies fees. 

In case you need more precision, you can get easily require a quote from a couple of certification bodies.

This material will provide you further explanation about certification costs:
- How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project

Assets in the cloud

If I understood correctly, you are talking about variations in the available capacity of a virtual server in the cloud. In this case, you do not need to take into account this variation in the asset register, only the server as a logical unit.

For example, if you have a database server in the cloud, in your asset register you can record it as "cloud database server". This way, by the very nature of cloud working, you do not need to take into account configuration related to its required capacity.

This article will provide you further explanation about asset register:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

Market research and EU GDPR

No, the GDPR does not define the term “market research”. All the definitions in the GDPR can be found in article 4.You can get more information on the impact of the GDPR on scientific research, including market researches, in this study of the EU Parliament: https://www.europarl.europa.eu/RegData/etudes/STUD/2019/634447/EPRS_STU(2019)634447_EN.pdf

ISO 27001 and NESA requirements

I'm assuming you are referring to the National Electronic Security Authority from the United Arab Emirates (UAE). Considering that, NESA develops documents based on ISO 27001 and several other established standards (such as NIST publications), but it does not define them as prerequisites, i.e., you do not need to implement ISO 27001 to comply with NESA requirements, although you can use the standard as a support to fulfill NESA requirements. If you already have implemented ISO 27001, then your implemented documents can be used to fulfill NESA requirements.