Search results

Scope question

1 - What do we really mean when we say that something is Included in the ISMS scope? Does that mean that everything in the ISMS then needs to be applicable to the organization, site, and processes in the scope? Or if not, this needs to be described in the ISMS somewhere? (for example, if we have a sales process and this sales process doesn’t apply to an office that we say is in scope then we need to document this in the ISMS? 

The meaning of something being included in the ISMS scope is that this thing is information, or something related to information, that the organization wants to protect.

For example, if customer information is in the ISMS scope, then it means that this information needs to be protected. In case a sales process is in the ISMS scope, it means that all kinds of information related to the sales process need to be protected.

In your example, in case the sales process is not related to any information you want to protect (those related to the office you mentioned), you do not need to include it in the ISMS scope (or you can explicitly state that the sales process is out of the ISMS scope).

For further information, see:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/

2 - Could we exclude offices/departments from the ISMS because we don’t share the same Core processes if we at the same time share support processes (HR process and some IT processes for example) and steering processes?

Yes. The ISMS scope can be defined in terms of only part of the organization, but please note that for small organizations of up to 100 employees, it is better to define that all organization is part of the scope, because the effort to separate the elements that are in and out of the ISMS scope may not be worthy.

This article will provide you with further explanation about the scope definition:

• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

Question about certification requirements

1 - Could you explain how the certification process is done and what the average costs are?

 The ISO 27001 certification process is performed in two stages:

Stage 1 certification audit is also called "Documentation review" - the auditor will evaluate whether you have all the mandatory documentation.

You can find the list of mandatory documents in this blog post: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

In stage 2, the auditor goes around your company, speaks to your employees, looks for logs and other records observes the effectiveness of your safeguards (the controls stated as applicable in the Statement of Applicability - SoA), etc.

Learn more about it in this webinar: ISO 27001/ISO 22301: The certification process https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

Regarding certification costs, this will depend on the size and complexity of the scope, so without more detailed information, it is not possible to provide you with a precise estimation.

There are a significant number of variables to be considered when estimating the certification cost, such as size and complexity of the scope, number of employees, number of sites, etc.

2 - Can Advisera do this certification?

Currently, Advisera does not perform certification audits.

3 - Can the certification be done online / remote or need to be done onsite? 

Details on how the certification audit can be performed need to be evaluated on a case-by-case basis with the certification body, so you need to contact your certification body for this kind of information.

4 - What would be the best option to prepare ourselves and get certified? What budget should I take into account? Hope to hear or read from you soon. Thanks.

First, you should consider a gap analysis to understand your situation. You can use this tool for gap analysis: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool//

Once you know where you are, you can consider these general steps to be prepared for certification:

1) getting management buy-in for the project

2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational and requirements of interested parties

3) development of risk assessment and treatment methodology

4) perform a risk assessment and define a risk tent plan (at this point you can make use of processes frameworks like ISO 38500 and ISO 20000 as a reference to help identify risks, but please note that this approach is not mandatory by the standard)

5) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.)

6) people training and awareness

7) controls operation

8 performance monitoring and measurement

9) perform internal audit

10) perform management critical review

11) address nonconformities, corrective actions, and opportunities for improvement.

This article will provide you with a further explanation of ISMS implementation:

• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

Regarding implementation approaches, the most common are:

• Use your own staff to implement the ISMS
• Use a consultant to perform most of the effort to implement the ISMS
• Use a consultant only to support the staff on specific issues, leaving the organization's staff with most of the implementation effort.

Each one of them has its advantages and disadvantages.

For more information, I suggest you the following materials:

• 3 strategic options to implement any ISO https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
• Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach

These materials will also help you regarding ISO 27001 implementation:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
• Diagram of ISO 27001:2013 Implementation https://info.advisera.com/27001academy/free-download/diagram-of-iso-27001-implementation-process
• ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/

Training and awareness plan

To fill in the training and awareness plan you first need to do is identify which gaps of incompetence you have (i.e., which knowledge, or skills your employees need to have). Some examples are:

• Use of passwords
• Backup operation
• Software installation and patching
• Performing of internal audit

Second, you need to define the method to be applied: training sessions, workshops, newsletters? What will work best for your company? On which frequency to perform them (e.g., weekly, monthly, annually?)

After that, you need to evaluate if these gaps can be fulfilled by internal personnel, or if you will need external support.

Once you have these answers, you can start defining your training and awareness plan.

These articles will provide you with a further explanation about awareness:

• 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
• How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

This material will also help you regarding awareness:

• Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security

Quality Manual

Some labs applied to copy the whole ISO Standard as their quality manual, may I know is this acceptable? 

Not Applicable Controls for SAAS Environment

Please note that the SoA needs to be developed based on the results of risk assessment and applicable legal requirements (i.e., laws, regulations, and contracts).

In case you do not have a risk relevant enough that justifies the implementation of control, then you do not need to implement it (i.e., state it as applicable in the SoA). 

The same applies to legal requirements. In case you do not have a law, regulation, or contract that justifies the implementation of control, then you do not need to implement it. 

For further information, see:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

To see examples of applicable controls based on risk assessment, please, see:

• Checklist of cyber threats & safeguards when working from home https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home
• Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process

Good Manufacturing Practice in pharmaceutical

Yes, there is a certificate for GMP which can be provided both by the notify body or by a competent authority in a particular country (usually the Ministry of health, but you need to check how is in your country that organized). 
A company that has ISO 13485 can not use the GMP mark without approval from notify body or competent authority.  

Record Control Table and Approved Supplier List

You do not need to have a record control table as a separate document, but you do need to have a record control table within each policy or procedure where you require certain records to be created - this record control table is already included in all the document templates in Conformio.

For further information, see:

• Records management in ISO 27001 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

Regarding approved supplier lists, ISO 27001 does not require this record to be kept, so it would be a management decision to keep such a record in case it considers relevant to their processes.

Specific Documents

Please note that the abovementioned clauses are covered by the following:

• clause 4.1 - Understanding the organization and its context can be evidenced by means of documents “List of Legal, Regulatory and Contractual Requirements”, generated by the 'Register of legal, contractual and other requirements' module, and "Risk Assessment and Risk Treatment Report", generated by the 'Risk register' module.
• clause 5.1 Leadership and commitment can be evidenced by means of documents “Information Security Policy”, “List of Security Objectives”, “Risk Assessment and Risk Treatment Report”, “Risk Treatment Plan”, and “Management review report”.
• clause 6.1.1 General, which refers to risks related to the Information Security Management System itself, can be evidenced by means of the “Risk Treatment Plan”.
• clause6.1.2 Information security risk assessment can be evidenced by means of the “Risk Assessment and Risk Treatment Methodology”.
• clause 9.1 Monitoring, measurement, analysis, and evaluation can be evidenced by means of the records defined on each policy and procedure you have implemented.

A.8.2.2 Labeling of Information

Since you stated in the SoA that control A.8.2.2 Labelling of information is not applicable, then it is sufficient for you to include only N/A in the Labeling column (there is no need to exclude the column).

Regarding controls A.8.2.1 Classification of information and A.8.2.2, you can implement only A.8.2.1 without implementing A.8.2.2 (i.e., you can define classification levels without the need to label media that contains it, although this is not common).

For further information, see:

• Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

Adverse Event Reporting

Yes, you can follow the same procedure. According to Article 16 from the MDR, if the CE mark of the manufacturer stays on the medical device, you do not consider a manufacturer, but rather the distributor.

1 a) makes available on the market a device under its name, registered trade name, or registered trademark, except in cases where a distributor or importer enters into an agreement with a manufacturer whereby the manufacturer is identified as such on the label and is responsible for meeting the requirements placed on manufacturers in this Regulation.

For more information, see:

• EU MRD Article 16 Cases in which obligations of manufacturers apply to importers and distributors or other persons - https://advisera.com/13485academy/mdr/cases-in-which-obligations-of-manufacturers-apply-to-importers-distributors-or-other-persons/