Search results

New control names

First is important to note that such classifications are defined only in ISO 27002, and they are not mandatory to be used to be compliant with ISO 27001.

Considering that, these classifications are known in ISO 27002 as control attributes, and they provide a standardized way to sort and filter controls against different views to address the needs of different groups. 

The detective, corrective and preventive attributes belong to the “control type” attribute category. ISO 27002 provides other four categories that can be used instead of “control type” to sort controls:

• Information security properties: Confidentiality, Integrity, and Availability
• Cybersecurity concepts: Identify, Protect, Detect, Respond, and Recover
• Operational capabilities: Governance, Asset management, Information protection, Human resource security, Physical security, System and network security, Application security, Secure configuration, Identity and access management, Threat and vulnerability management, Continuity, Supplier relationships security, Legal and compliance, Information security event management, and Information security assurance
• Security domains: Governance and ecosystem, Protection, Defense, and Resilience

For example, control 5.1 Policies for Information Security, in its attribute Control type is classified as preventive, while its Concept attribute is identify. As for control 7.4 Physical Security Monitoring in its attribute Control type is classified as preventive and detective, while its Concept attribute is protect and detect.

For further information, see:

• Main changes in the new ISO 27002 2022 revision https://advisera.com/27001academy/blog/2022/01/30/main-changes-in-the-upcoming-new-version-of-iso-27002/

Gap analysis results

1 - Firstly, as part of our gap analysis, the processes followed within Conformio did not provide any documentation to Clause 4 of the standard, nor did we get any system assistance in completing these clauses. There was no interested parties section beyond the contractual and legal requirements, thus we were unable to evidence clause 4.2.

Please note that besides the ISMS scope, required by clause 4.3, there is no other documentation required by section 4 of the standard. The ISMS Scope is documented within Conformio.

Clause 4.1 requires the context of the organization to be determined, but it does not need to be documented.

Clause 4.2 requires interested parties and their requirements to be determined, and this is documented in the List of legal, regulatory, and contractual requirements.

For further information, see:

• For clause 4.1: How to define context of the organization according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/

2 - Secondly, the Risk Assessments failed to provide a CIA category for any risks. We are told this is mandatory and as such, the Risk Register provided does not meet the requirements of ISO.

The standard requires risks to be identified considering the loss of confidentiality, integrity, and availability, and this is done in Conformio by assessing the impact taking into account C-I-A - this is also specified in the Risk Assessment Methodology. The standard does not require C-I-A to be assessed separately.

For further information, see:

• Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

• Audit questions

  1. One of my client is outsourced the IT and Software Development, I have to do the internal audit for this client, in scope document they have mentioned as entire organization. In that case do I have to audit the IT department

  I’m assuming that your client is outsourcing its IT and Software Development.

  Considering that, in terms of the IT department you need to audit the contract/service agreement they have with the outsourcing company, to evaluate if the outsourced services are being managed by the company and fulfilled by the provider.

  In case the client is providing IT and Software Development to other companies, then you need to audit the IT department.

  For further information, see:

  • 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
  • Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

  2. One of the client is operating on Co-working space, Physical, access, IT, and Networking security is Managed by the provider, In this scenario do the client needs to have access, network, physical security polices and procedures

  In this scenario, the client needs to have the Access control policy because it is a mandatory document according to ISO 27001. Regarding network and physical security policies, the client can decide on its own whether these are needed or not. The fact that the client is using outsourced services has no impact on this situation.

• ISMS scope

  I’m assuming that you do not own the data center.

  Considering that, for certification purposes, you need to define at least one physical location which belongs to the organization. This one can be the address of the CEO's home, or some office rented by the organization for administrative purposes(like the company HQ).

  Since you are a remote company, you should define your scope in terms of the data you want to protect (i.e., the physical data center should be excluded, but the data hosted in this data center should be included) and exclude all remote sites.

  These articles will provide you with further explanation of ISMS scope definition:

  • How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
  • Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
  • Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

  This tool can also help you:

  • Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/

  • Equipment Qualification vs. Process Qualification and Process Validation

    There are no specific direct requirements regarding the process and/or equipment qualifications. There is a requirement in the ISO 13485:2016 6.3 Infrastructure states that the organization will document requirements for the maintenance activities, control of the work environment, and monitoring and measurement. 
     
    Further on, in requirement 7.5.6 Validation of processes for production and service provision is stated that the manufacturer must validate any process where the resulting output is not apparent. In this requirement is stated which elements must be covered for the validation.  

  • Question about audit

    ISO 27001 is not mandatory to implement TISAX, but since they share many similar requirements, you can adopt ISO 27001 to make TISAX implementation and audit easier.

    For further information, see:

    • TISAX – What is it, and how is it related to ISO 27001? https://advisera.com/27001academy/blog/2019/03/11/how-iso-27001-and-tisax-are-related/

  • Medical devices

    No, medical devices are not subject to the falsified medicines directive. Implementing the UDI number and registration of the devices in the EUDAMED is a way to prevent falsified medical devices.   

  • Required documents

    1. What documents will I need to write in order to be compliant with GDPR?

    You can find the list of documents required by GDPR in this article:
    • List of mandatory documents required by EU GDPR https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/

    2. Is it for example possible to write that we are often changing providers and that the client should contact us to get the correct information?

    I wouldn’t recommend this approach. As a web hosting company, you should act as a data processor for your customers. Thus, in the Data Processing Agreement, according to Article 28 GDPR - Processor, you must mention what sub-processors you use and what they do exactly with your customers’ personal data. According to Article 13 GDPR - Information to be provided where personal data are collected from the data subject, your customers, acting as data controllers, must inform data subjects about the processors they are using. Since there would be only one web hosting company – yours – it wouldn’t make sense to mention a category.

    Please also consult these links:

    • Article 13 GDPR - Information to be provided where personal data are collected from the data subject: https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/
    • Article 28 GDPR – Processor: https://advisera.com/eugdpracademy/gdpr/processor/
    • List of mandatory documents required by EU GDPR: https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/
    • EU GDPR controller vs. processor – What are the differences?: https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
    • A summary of 10 key GDPR requirements: https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/

  • Possibility of including more methods on calibration certificate

    A laboratory and extend it’s scope of accreditation (i.e add more methods) by applying according to the accreditation body’s procedure.

    If as a calibration laboratory you want to add more methods to the calibration certificate you supply to a client, that is not an issue, as long as you are accredited for them. You need to report the method used, which could be a standard method, in-house or modified.

  • ISO 27001 and DORA EU

    I’m assuming that by DORA you mean the Digital Operational Resilience Act

    Considering that, DORA’s purpose is to strengthen the financial sector’s resilience to ICT-related incidents, and although not mandatory for DORA, ISO 27001 can provide a robust baseline to support compliance with this objective.

    Regarding personal certifications, you can consider:

    • ISO 27001 Lead Implementer – this certification recognizes people who have competency in the ISO 27001 implementation process.
    • ISO 27001 Lead Auditor – this certification recognizes people who have competency in auditing an ISMS against ISO 27001 requirements and want to become certification auditors (and with this provides more confidence to an organization for being certified).

    These articles will provide you with a further explanation of ISO 27001 personnel certifications:

    • What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
    • What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
    • Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

    For courses related to these certifications, please see:

    • ISO 27001:2013 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
    • ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/