Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Question about audit

    ISO 27001 is not mandatory to implement TISAX, but since they share many similar requirements, you can adopt ISO 27001 to make TISAX implementation and audit easier.

    For further information, see:

  • Medical devices

    No, medical devices are not subject to the falsified medicines directive. Implementing the UDI number and registration of the devices in the EUDAMED is a way to prevent falsified medical devices.   

  • Required documents

    1. What documents will I need to write in order to be compliant with GDPR?

    You can find the list of documents required by GDPR in this article:

    2. Is it for example possible to write that we are often changing providers and that the client should contact us to get the correct information?

    I wouldn’t recommend this approach. As a web hosting company, you should act as a data processor for your customers. Thus, in the Data Processing Agreement, according to Article 28 GDPR - Processor, you must mention what sub-processors you use and what they do exactly with your customers’ personal data. According to Article 13 GDPR - Information to be provided where personal data are collected from the data subject, your customers, acting as data controllers, must inform data subjects about the processors they are using. Since there would be only one web hosting company – yours – it wouldn’t make sense to mention a category.

    Please also consult these links:

  • Possibility of including more methods on calibration certificate

    A laboratory and extend it’s scope of accreditation (i.e add more methods) by applying according to the accreditation body’s procedure.

    If as a calibration laboratory you want to add more methods to the calibration certificate you supply to a client, that is not an issue, as long as you are accredited for them. You need to report the method used, which could be a standard method, in-house or modified.

  • ISO 27001 and DORA EU

    I’m assuming that by DORA you mean the Digital Operational Resilience Act

    Considering that, DORA’s purpose is to strengthen the financial sector’s resilience to ICT-related incidents, and although not mandatory for DORA, ISO 27001 can provide a robust baseline to support compliance with this objective.

    Regarding personal certifications, you can consider:

    • ISO 27001 Lead Implementer – this certification recognizes people who have competency in the ISO 27001 implementation process.
    • ISO 27001 Lead Auditor – this certification recognizes people who have competency in auditing an ISMS against ISO 27001 requirements and want to become certification auditors (and with this provides more confidence to an organization for being certified).

    These articles will provide you with a further explanation of ISO 27001 personnel certifications:

    For courses related to these certifications, please see:

  • Documenting scope of ISMS

    Please note that the application of controls in SoA is not necessarily related to the ISMS scope, but to the results of risks assessment and identified applicable legal requirements (e.g., laws, regulations, and contracts). This means that some controls will be implemented by your company, and some controls by your suppliers or partners.

    For example, even if you do not include outsourced IT services in our ISMS scope, you may have a contract with a customer requiring the implementation of technical control, then this technical control needs to be stated in the SoA as applicable and implemented by your supplier.

  • Questions about ISO 27001

    1- How to do a gap analysis of the status of my management system against compliance with the ISMS requirements ISO 27001:2013

    To perform a gap analysis of your ISMS against ISO 27001, please access our free tool: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

    This is a simple question-and-answer list that allows you to visualize which specific elements of an ISMS you’ve already implemented, and what you still need to do.

    2- List of documents required to comply with ISMS ISO 27001.

    Included in your toolkit you have a list of documents that shows you which are the mandatory documents to be compliant with ISO 27001.

    3. How to develop an ISMS ISO 27001 communications program to interested parties, what should this program contain?

    Please note that ISO 27001:2013 requires you to define a communication process, although there is no requirement that a communication program needs to be developed or documented.

    Considering that, communication is an activity that is performed by many processes in information security according to ISO 27001, with different purposes and interested parties. So, having a centralized communication program would overhead people responsible for communication with activities that may not be a part of their attributions. That’s the reason there isn’t a specific template for a communication program.

    The main documents in the toolkit that define how communication needs to be done (which could be considered as part of a communication program) are:

    • the Information Security Policy, located in folder 4 General Policies
    • the Training and Awareness plan, located in folder 9 Training and Awareness
    • the Incident Management Procedure, located in folder 8 Annex A Security Controls >> A.16 Information Security Incident Management
    • the Disaster Recovery Plan, located in folder 8 Annex A Security Controls >> A.17 Business Continuity

    4. How to develop an ISMS ISO 27001 awareness program for stakeholders, what should this program contain?

    For information security these are some security practices you should consider (without more information about your context is not possible to suggest additional alternatives):

    These articles will provide you with further explanation about security practices:

    You can use the Training and Awareness Plan template, located in folder 9 Training and awareness, to document the activities to be performed.

    5. How to develop a Management review procedure program

    Please note that ISO 27001 does not require a procedure for Management Review to be documented, so to be compliant with the standard you can just use the Management Review minutes template located in folder 11 Management review.

    In case your doubt is about review periodicity, the minimum is to perform a management review once a year, or more often if any major change happens that can influence information security (e.g., there is a new client who has very particular requests regarding the confidentiality or availability of your systems). However, it could be done more often (e.g., quarterly) if the management wants to be more involved in operational issues.

    For further information, see:

  • Determining scope of certificate for company that outsources production processes

    No matter whether the production process is outsourced, that process must be in the scope. From the market point of view, regardless of the fact that production is outsourced, that company is responsible for the product. 

  • Scope question

    1 - What do we really mean when we say that something is Included in the ISMS scope? Does that mean that everything in the ISMS then needs to be applicable to the organization, site, and processes in the scope? Or if not, this needs to be described in the ISMS somewhere? (for example, if we have a sales process and this sales process doesn’t apply to an office that we say is in scope then we need to document this in the ISMS? 

    The meaning of something being included in the ISMS scope is that this thing is information, or something related to information, that the organization wants to protect.

    For example, if customer information is in the ISMS scope, then it means that this information needs to be protected. In case a sales process is in the ISMS scope, it means that all kinds of information related to the sales process need to be protected.

    In your example, in case the sales process is not related to any information you want to protect (those related to the office you mentioned), you do not need to include it in the ISMS scope (or you can explicitly state that the sales process is out of the ISMS scope).

    For further information, see:

    2 - Could we exclude offices/departments from the ISMS because we don’t share the same Core processes if we at the same time share support processes (HR process and some IT processes for example) and steering processes?

    Yes. The ISMS scope can be defined in terms of only part of the organization, but please note that for small organizations of up to 100 employees, it is better to define that all organization is part of the scope, because the effort to separate the elements that are in and out of the ISMS scope may not be worthy.

    This article will provide you with further explanation about the scope definition:

  • Question about certification requirements

    1 - Could you explain how the certification process is done and what the average costs are?

     The ISO 27001 certification process is performed in two stages:

    Stage 1 certification audit is also called "Documentation review" - the auditor will evaluate whether you have all the mandatory documentation.

    You can find the list of mandatory documents in this blog post: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

    In stage 2, the auditor goes around your company, speaks to your employees, looks for logs and other records observes the effectiveness of your safeguards (the controls stated as applicable in the Statement of Applicability - SoA), etc.

    Learn more about it in this webinar: ISO 27001/ISO 22301: The certification process https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

    Regarding certification costs, this will depend on the size and complexity of the scope, so without more detailed information, it is not possible to provide you with a precise estimation.

    There are a significant number of variables to be considered when estimating the certification cost, such as size and complexity of the scope, number of employees, number of sites, etc.

    2 - Can Advisera do this certification?

    Currently, Advisera does not perform certification audits.

    3 - Can the certification be done online / remote or need to be done onsite? 

    Details on how the certification audit can be performed need to be evaluated on a case-by-case basis with the certification body, so you need to contact your certification body for this kind of information.

    4 - What would be the best option to prepare ourselves and get certified? What budget should I take into account? Hope to hear or read from you soon. Thanks.

    First, you should consider a gap analysis to understand your situation. You can use this tool for gap analysis: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool//

    Once you know where you are, you can consider these general steps to be prepared for certification:

    1) getting management buy-in for the project

    2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational and requirements of interested parties

    3) development of risk assessment and treatment methodology

    4) perform a risk assessment and define a risk tent plan (at this point you can make use of processes frameworks like ISO 38500 and ISO 20000 as a reference to help identify risks, but please note that this approach is not mandatory by the standard)

    5) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.)

    6) people training and awareness

    7) controls operation

    8 performance monitoring and measurement

    9) perform internal audit

    10) perform management critical review

    11) address nonconformities, corrective actions, and opportunities for improvement.

    This article will provide you with a further explanation of ISMS implementation:

    Regarding implementation approaches, the most common are:

    • Use your own staff to implement the ISMS
    • Use a consultant to perform most of the effort to implement the ISMS
    • Use a consultant only to support the staff on specific issues, leaving the organization's staff with most of the implementation effort.

    Each one of them has its advantages and disadvantages.

    For more information, I suggest you the following materials:

    These materials will also help you regarding ISO 27001 implementation:
Page 57-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +