Search results

ISO 27001:2022

First of all, sorry for this confusion.

In the transition scheme, the 25/10/2022 date only means that ISO 27001:2022 is already a certifiable standard by the day of its release.

To be able to issue the certification, certification bodies, and certification auditors working for them, will need to go through an update process to be qualified for that. Some certification bodies will be able to do this more quickly, others will be slower - in any case, we expect that some certification bodies will start certifying against the new 2022 revision very soon.

Risk Assessment

To see examples of associated assets, threats, and vulnerabilities, please see:

• Checklist of cyber threats & safeguards when working from home https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home
• Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process

Regarding what you should choose from our list of threats and vulnerabilities, the best approach is to ask the people who work depending on this cloud software what their biggest concerns are, because from that you can identify which assets, threats, and vulnerabilities to consider.  

For example, if they are concerned with losing data, then the assets where data is stored must be considered, as well as threats and vulnerabilities that can impact these assets vulnerabilities.

For further information, see:

• Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

HIPAA vs ISO

The general steps to be prepared for certification are:

1) getting management buy-in for the project

2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational and the requirements of interested parties

3) development of risk assessment and treatment methodology

4) perform a risk assessment and define a risk treatment plan

5) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.)

6) people training and awareness

7) controls operation

8 performance monitoring and measurement

9) perform internal audit

10) perform management critical review

11) address nonconformities, corrective actions, and opportunities for improvement.

This article will provide you with a further explanation of ISMS implementation:

• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

Regarding the relation between HIPAA and ISO 27001, ISO 27001:2013 has at least 47 controls that can be used to comply with HIPAA requirements such as:

• Assigned Security Responsibility (164.308(a)(2)) can be related to control A.6.1.1 – Information security roles and responsibilities
• Security Awareness and Training (164.308(a)(5)) can be related to control A.7.2.2 – Information security awareness, education, and training

For further information, see:

• Comparison of HIPAA compliance and ISO 27001 certification https://advisera.com/27001academy/blog/2021/01/27/hipaa-compliance-vs-iso-27001/

ISO27001 clause & controls alignment

Please note that there is no connection between individual clauses to particular controls.

This is so because the purpose of the main part of the standard (clauses 4 to 10) is to manage security (e.g., risk management, internal audit, etc.), whereas the purpose of Annex A is to decrease risks with controls.

The main part of the standard determines how to select safeguards, how to manage them, how to measure if they are successful, and so on, whereas Annex A controls describe what needs to be implemented.

For further information, see:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

• Procedure for Design documentation management for medical devices

  No, we do not have a separate procedure for this. Managing documentation is covered within the Design and development procedure and Document control procedure.

• Design & Development

  You may have all or most “Design and development” elements documented in your ISO 17025 QMS already, however you need to do a gap assessment (what you need versus what is in place) as there are specific requirements for ISO 9001:2015. Why I say “may” is it depends on what you have in place. Just because a laboratory is accredited to ISO 17025 does not automatically mean all the elements of ISO 9001 are there. The extent of implemented process, documentation and records varies from laboratory to laboratory.
  
  You need to look at the ISO 9001:2015 requirements as per the standard and or a checklist, including the mandatory documents (procedures and records). Confirm is the requirements are implemented, in which procedures the processes are documented and if the records you have include all the information required. If fully covered in your system, then you know clearly where they are. If not, either modify your ISO 17025 documents to add elements required by ISO 9001, or create additional documents.
  
  For more information, look at the resources available at the Advisera ISO 9001 Academy at https://advisera.com/9001academy/ Have a look at the Checklist of Mandatory Documentation Required by ISO 9001:2015 at https://info.advisera.com/9001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-90012015

• ISO 27001 Certification

  The standard does not require a particular document that would mark an end of ISO 27001 implementation.

  In the situation where you were not involved in the implementation, you could perform the internal audit (as defined in clause 9.2), and the results of this internal audit could be used to assess the level of compliance and readiness for the certification process. You can also show to your client the Statement of Applicability that displays which controls are already implemented - this is a good overview of how far the implementation has gone.

  For further information, see:

  • Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

  • ISO 27001:2013 (Information Security Policy / IT Security Policy)

    Although it is possible to insert controls from the IT Security Policy into the Information Security, we do not recommend this approach. This is so because both policies have different purposes.   

    The Information security policy is a high-level policy that defines rules for the whole organization considering information security, while the IT Security Policy is an operational policy aimed at the security of the information regarding Information Technology. 

    For further information, see:

    • One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/

    • Using ISMS results to prove SOX-ITGC controls

      IT General Controls (ITGC) are controls that are common to IT processes, providing stable and effective operation of application controls. They cover fields like creation/acquisition of systems, SDLC Process, access control, backup, change control, etc. 

      SOX is a United States federal law, that sets requirements for improving the accuracy and reliability of financial disclosures of organizations trading on U.S. territory.

      Considering that, an ISMS compliant with ISO 27001 can be one way to fulfill the requirements of SOX-ITGC.

      However, being compliant with ISO 27001 would not enable you full compliance with SOX-ITGC, this could only be a part of your compliance effort.

      For more information, please see:

      • The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
      • How can ISO 27001 help you comply with SOX section 404 https://advisera.com/27001academy/blog/2017/11/21/how-can-iso-27001-help-you-comply-with-sox-section-404/