Search results

ISMS scope

I’m assuming that you do not own the data center.

Considering that, for certification purposes, you need to define at least one physical location which belongs to the organization. This one can be the address of the CEO's home, or some office rented by the organization for administrative purposes(like the company HQ).

Since you are a remote company, you should define your scope in terms of the data you want to protect (i.e., the physical data center should be excluded, but the data hosted in this data center should be included) and exclude all remote sites.

These articles will provide you with further explanation of ISMS scope definition:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
• Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

This tool can also help you:

• Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/

• Equipment Qualification vs. Process Qualification and Process Validation

  There are no specific direct requirements regarding the process and/or equipment qualifications. There is a requirement in the ISO 13485:2016 6.3 Infrastructure states that the organization will document requirements for the maintenance activities, control of the work environment, and monitoring and measurement. 
   
  Further on, in requirement 7.5.6 Validation of processes for production and service provision is stated that the manufacturer must validate any process where the resulting output is not apparent. In this requirement is stated which elements must be covered for the validation.  

• Question about audit

  ISO 27001 is not mandatory to implement TISAX, but since they share many similar requirements, you can adopt ISO 27001 to make TISAX implementation and audit easier.

  For further information, see:

  • TISAX – What is it, and how is it related to ISO 27001? https://advisera.com/27001academy/blog/2019/03/11/how-iso-27001-and-tisax-are-related/

• Medical devices

  No, medical devices are not subject to the falsified medicines directive. Implementing the UDI number and registration of the devices in the EUDAMED is a way to prevent falsified medical devices.   

• Required documents

  1. What documents will I need to write in order to be compliant with GDPR?

  You can find the list of documents required by GDPR in this article:
  • List of mandatory documents required by EU GDPR https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/

  2. Is it for example possible to write that we are often changing providers and that the client should contact us to get the correct information?

  I wouldn’t recommend this approach. As a web hosting company, you should act as a data processor for your customers. Thus, in the Data Processing Agreement, according to Article 28 GDPR - Processor, you must mention what sub-processors you use and what they do exactly with your customers’ personal data. According to Article 13 GDPR - Information to be provided where personal data are collected from the data subject, your customers, acting as data controllers, must inform data subjects about the processors they are using. Since there would be only one web hosting company – yours – it wouldn’t make sense to mention a category.

  Please also consult these links:

  • Article 13 GDPR - Information to be provided where personal data are collected from the data subject: https://advisera.com/eugdpracademy/gdpr/information-to-be-provided-where-personal-data-are-collected-from-the-data-subject/
  • Article 28 GDPR – Processor: https://advisera.com/eugdpracademy/gdpr/processor/
  • List of mandatory documents required by EU GDPR: https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/
  • EU GDPR controller vs. processor – What are the differences?: https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
  • A summary of 10 key GDPR requirements: https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/

• Possibility of including more methods on calibration certificate

  A laboratory and extend it’s scope of accreditation (i.e add more methods) by applying according to the accreditation body’s procedure.

  If as a calibration laboratory you want to add more methods to the calibration certificate you supply to a client, that is not an issue, as long as you are accredited for them. You need to report the method used, which could be a standard method, in-house or modified.

• ISO 27001 and DORA EU

  I’m assuming that by DORA you mean the Digital Operational Resilience Act

  Considering that, DORA’s purpose is to strengthen the financial sector’s resilience to ICT-related incidents, and although not mandatory for DORA, ISO 27001 can provide a robust baseline to support compliance with this objective.

  Regarding personal certifications, you can consider:

  • ISO 27001 Lead Implementer – this certification recognizes people who have competency in the ISO 27001 implementation process.
  • ISO 27001 Lead Auditor – this certification recognizes people who have competency in auditing an ISMS against ISO 27001 requirements and want to become certification auditors (and with this provides more confidence to an organization for being certified).

  These articles will provide you with a further explanation of ISO 27001 personnel certifications:

  • What does ISO 27001 Lead Implementer training look like? https://advisera.com/27001academy/blog/2016/11/28/what-does-iso-27001-lead-implementer-training-look-like/
  • What does ISO 27001 Lead Auditor training look like? https://advisera.com/27001academy/blog/2016/08/29/what-does-iso-27001-lead-auditor-training-look-like/
  • Lead Auditor Course vs. Lead Implementer Course – Which one to go for? https://advisera.com/27001academy/blog/2014/06/16/lead-auditor-course-vs-lead-implementer-course-which-one-to-go-for/

  For courses related to these certifications, please see:

  • ISO 27001:2013 Lead Auditor Course https://advisera.com/training/iso-27001-lead-auditor-course/
  • ISO 27001:2013 Lead Implementer Course https://advisera.com/training/iso-27001-lead-implementer-course/

• Documenting scope of ISMS

  Please note that the application of controls in SoA is not necessarily related to the ISMS scope, but to the results of risks assessment and identified applicable legal requirements (e.g., laws, regulations, and contracts). This means that some controls will be implemented by your company, and some controls by your suppliers or partners.

  For example, even if you do not include outsourced IT services in our ISMS scope, you may have a contract with a customer requiring the implementation of technical control, then this technical control needs to be stated in the SoA as applicable and implemented by your supplier.

• Questions about ISO 27001

  1- How to do a gap analysis of the status of my management system against compliance with the ISMS requirements ISO 27001:2013

  To perform a gap analysis of your ISMS against ISO 27001, please access our free tool: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

  This is a simple question-and-answer list that allows you to visualize which specific elements of an ISMS you’ve already implemented, and what you still need to do.

  2- List of documents required to comply with ISMS ISO 27001.

  Included in your toolkit you have a list of documents that shows you which are the mandatory documents to be compliant with ISO 27001.

  3. How to develop an ISMS ISO 27001 communications program to interested parties, what should this program contain?

  Please note that ISO 27001:2013 requires you to define a communication process, although there is no requirement that a communication program needs to be developed or documented.

  Considering that, communication is an activity that is performed by many processes in information security according to ISO 27001, with different purposes and interested parties. So, having a centralized communication program would overhead people responsible for communication with activities that may not be a part of their attributions. That’s the reason there isn’t a specific template for a communication program.

  The main documents in the toolkit that define how communication needs to be done (which could be considered as part of a communication program) are:

  • the Information Security Policy, located in folder 4 General Policies
  • the Training and Awareness plan, located in folder 9 Training and Awareness
  • the Incident Management Procedure, located in folder 8 Annex A Security Controls >> A.16 Information Security Incident Management
  • the Disaster Recovery Plan, located in folder 8 Annex A Security Controls >> A.17 Business Continuity

  4. How to develop an ISMS ISO 27001 awareness program for stakeholders, what should this program contain?

  For information security these are some security practices you should consider (without more information about your context is not possible to suggest additional alternatives):

  • Authentication
  • Network connection
  • Access to the device
  • Physical security
  • Data encryption
  • Backup
  • Software installation and patching
  • Basic security “hygiene”
  • Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

  These articles will provide you with further explanation about security practices:

  • 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
  • How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

  You can use the Training and Awareness Plan template, located in folder 9 Training and awareness, to document the activities to be performed.

  5. How to develop a Management review procedure program

  Please note that ISO 27001 does not require a procedure for Management Review to be documented, so to be compliant with the standard you can just use the Management Review minutes template located in folder 11 Management review.

  In case your doubt is about review periodicity, the minimum is to perform a management review once a year, or more often if any major change happens that can influence information security (e.g., there is a new client who has very particular requests regarding the confidentiality or availability of your systems). However, it could be done more often (e.g., quarterly) if the management wants to be more involved in operational issues.

  For further information, see:

  • Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

• Determining scope of certificate for company that outsources production processes

  No matter whether the production process is outsourced, that process must be in the scope. From the market point of view, regardless of the fact that production is outsourced, that company is responsible for the product.