Search results

Sample document

Thank you Rhand.

ISO 27001 - Enquiry

1 - Can you confirm if during stage 1 of a certification process, does an organisation certified Lead Implementer or Auditors within the organisation before the organisation is certified and which clause demands this.

I’m assuming you are asking if certified Lead Implementers or auditors need to be present in the organization as certification criteria.

Considering that ISO 27001 does not prescribe the role of lead implementer so the presence of a lead implementer is not a requirement for certification. Regarding the auditor role, the standard defines it in clause 9.2, but only requires that the internal audit needs to be performed by a person with proper competency (clause 7.2 competence), so the presence of auditors is not a requirement for certification (the certification auditor will only check if audits were performed by auditors with proper competencies).

For further information, see:

• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

2 - Secondly, can an organisation outsource the roles of ISO 27001 LA and LI and be successfully certified?

I will be grateful to have your feedback.

ISO 27001 does not prescribe that auditors and implementers need to be employees of the organization, so it is acceptable to outsource these roles.

For further information, see:

• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/

• Free ISO 27001:2013 to 2022 Conversion Tool – find out what has changed

  Please note that this tool does not provide deep insights or gap analysis on the changes brought by the 2022 revision of ISO 27001. It only shows how previous controls from the 2013 version are now mapped. For Example:  

  ISO 27001:2013 controls:

  • A.8.1.1 Inventory of assets, and

  • A.8.1.2 Ownership of assets

  ... have merged into ISO 27001:2022 control: 

  • A.5.9 Inventory of information and other associated assets

  This is an example right from the tool.

  For further information about new controls introduced by ISO 27001:2022, please read:

  • ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/02/09/iso-27001-iso-27002/

  • External auditor for contamination for warehouse environment

    It is usually inspected for pests - rodents, flies, and cockroaches. Therefore, it is checked whether the traps are installed and whether they are inspected regularly. The external auditor looks at how the finished goods are arranged, whether the boxes are damaged, and whether the product itself may be damaged. And the third is to check whether the defined storage conditions are ensured - whether the temperature/humidity is measured, whether temperature mapping has been done in the case of a high-shelf warehouse, and whether the products are placed somewhere so that they are directly exposed to the sun.

    All these situations can lead to contamination of the finished product.

  • Question about requirement for Internal Auditor of IATF

    If you do not have additional customer special requirements, you should complete ISO 9001 and IATF 16949 standard training, internal auditor training, and core tools (APQP, PPAP, SPC, MSA, FMEA) training for internal auditors and supplier auditors.

  • ISO sign off on staff policy

    You can access these logs through the Responsibility Matrix, which you can access through the link in the left side panel of your screen.

    In the Responsibility Matrix screen, you can filter the logs by “One task” and search for activities titled “Please read the document…”

    For each line, you can identify, using the colored indicators, if the document was read or not.

  • Risk Management

    First of all, sorry for this confusion.

    The Risk Management tool kit can be used for both ISO 27001 and ISO 22301. In all templates, you can find comments instructing you, when applicable, on which changes should be made to the document in case you are applying it to ISO 22301.

    For further information, see:

    • ISO 27001 risk management for business continuity: https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/

    • Clause reference

      From your question I’m understanding you want to know how to use an Internal audit checklist based on ISO 27001:2013 considering the references from ISO 27001:2022.

      Considering that, your first assumption is correct. The first column references the ISO standard clause. 

      Regarding mapping the corresponding control in the evidence section, I suggest you add a second column beside the column clause, so you can have the two columns providing the link between the clause from both versions. For example: https://i.imgur.com/JFfCfM7.png

      This way works better when you handle multiple controls from ISO 27001: 2013 that were merged in a single control in ISO 27001:2022 (this data about controls placed in a specific column makes reading them easier).

      For further information, see:

      • ISO 27001:2013 to ISO 27001:2022 Conversion Tool https://advisera.com/insight/iso-27001-2013-to-iso-27001-2022-conversion-tool/

      • ISO 27001 A.8.11

        Thank you, Rhand!  This is very insightful.

      • Controls 10.1.1 + 10.1.2

        1 - Working for a company that does not store any of the data in house and handles software development in github, how would we apply cryptography?

        We are not GitHub experts, so our recommendation to you is to consult GitHub staff to see how to apply cryptography to data at rest in your repositories.
        Maybe these links can provide some information:  

        • https://gist.github.com/polonskiy/7e5d308ca6412765927a96bd74601a5e
        • https://github.blog/changelog/2019-05-23-git-data-encryption-at-rest/

        2 - I understand you need certain processes to include encryption, but I don't quite see where I could use it.

        You can use the results of risk assessment and identified applicable legal requirements (e.g., laws, regulations, and contracts), to build an understanding of where to apply cryptography.

        For example, from a contract with a customer, you can identify a clause demanding that all codes developed for that customer must be encrypted, or the results of risk assessment demonstrate that a specific module represents a competitive advantage to your company, so keeping the confidentiality of that code through encryption can be a solution.

        For further information, see:

        • How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/

        3 - We use SSH tunnels for an encrypted connection from computers into secure coding environments, but how could we use this in our policy?

        You can define the use of SSH tunnels in section 3.1 of the Cryptographic Policy. For example: