Search results

Organizational chart - ISMS

1 - Does ISO 27001 require the presence of a CISO or an Information Security Manager in the organizational chart?

For further information about the CISO, see:

• What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
• Chief Information Security Officer (CISO) – where does he belong in an org chart? https://advisera.com/27001academy/blog/2012/09/11/chief-information-security-officer-ciso-where-does-he-belong-in-an-org-chart/

2 - What are the roles that must appear in the organizational chart by ISO 27001 requirement and that we should include in the current *** organizational chart?

3 - Could all these roles be covered by *** current QARA Manager?

I’m assuming that by QARA you mean Quality Assurance & Regulatory Affairs.

Considering that, provided that the QARA manager has the competencies needed to perform the roles relevant to information security, this person can assume these roles.

4 - What do you recommend in this regard?

Roles and responsibilities generally designated to a CISO are very similar to those of a QMS manager:

• ensuring that the ISMS conforms to the ISO 27001 requirements
• reporting on the performance of the ISMS to top management

Considering that these management activities can be designated to the QARA.

However, some security roles may require expertise in other areas that may require to be performed by other roles (e.g., network security, performed by an IT analyst).

A proof for fulfillment of requirement A.9.5.1 from ISO 27017

I’m assuming you are referring to control CDL 9.5.1 - Segregation in virtual computing environments.

Regarding the “Risk assessment performed” you can show as evidence the last risk assessment and treatment report, showing to which risks related to “customer-developed/supplied software in the cloud environment” the control CDL 9.5.1 is used as treatment.

Regarding the “mitigating controls to address risks imposed by customer-developed/supplied software in the cloud environment”, examples of evidence of implementation of this control are:

• Network diagrams showing how computing environments are segregated
• Firewall rules tables showing the configurations implemented in network devices to segregate the environments
• Results of independent penetration tests covering the evaluation of this control

• Control A.11.2.4

  First is important to note that ISO 27001 controls that are related to business continuity are those from section A.17. Controls from other sections focus on information security, not business continuity.  

  Control A.11.2.4 - Equipment maintenance applies to all equipment in the ISMS scope.

  Considering that, this control may be applied either to your laptops (where you will have to implement the control) or to the equipment provided to you by your supplier (e.g., WiFi router as part of the leased office where you work).

  For further information about applying this control, see:

  • How to implement equipment physical protection according to ISO 27001 A.11.2 https://advisera.com/27001academy/blog/2016/04/26/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-2/
  • 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

  • Specific requirement to provide After-Sales Service

    No, there is no such direct requirement according to ISO 13485 and MDSAP. Considering the Health Canada regulation, I really do not have information regarding that regulation.    

  • IT Security Policy too narrow

    I’m assuming that you did not complete the Risk Register / Statement of Applicability in Conformio.

    Considering that, to complete the IT Security policy according to the ISO 27001 standard, you need to perform the Risk Assessment and Risk Treatment, using the Risk Register Module. After you complete the assessment, Conformio will automatically generate the SoA indicating which controls need to be applied to your IT Security policy.

    Then you need to start the Wizard and answer the required questions (these are based on the results of risk assessment, i.e., the controls that need to be considered for the IT Security policy).

    This way all the relevant controls will be covered in the IT Security Policy, and section 2 of the policy will refer to all controls that are included.

  • Flammability requirements

    Flammability is a specification for the product. In the PPAP process, you will need to perform flammability tests while producing samples according to customer requests.

    There is no expectation in the IATF standard as the number of tests.

    After the product approval, if there is no special customer requirement, it may be necessary to look at the annual product inspections and layout inspections.

  • Scope definition

    The ISMS scope should be determined considering the information you want to protect, not the relation between the entities of a holding company (this specific issue about entities involved in the certification needs to be aligned with your certification body).

    Regarding policies, since the entities have different natures, it would be better to draft different policies, according to the specific risk profile of each entity, as well as other specific issues.

    For further information, see:

    • How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
    • Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
    • Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/
    • 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

  • Existence of data processing

    According to the definition in Article 4 GDPR – Definitions,  "personal data" means any information relating to an identified or identifiable natural person. The usernames, although some of them are emails and some of them are not, they do lead to the identification of natural persons. They are considered pseudonymized personal data. According to the definition in the same Article 4 GDPR, "pseudonymization" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

    So storing this list of usernames is considered processing of personal data, also according to the definition in Article 4 GDPR, where ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data.

    Please also consult these links:

    • Article 4 GDPR – Definitions: https://advisera.com/gdpr/definitions/
    • A summary of 10 key GDPR requirements: https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/
    • Understanding 6 key GDPR principles: https://advisera.com/eugdpracademy/knowledgebase/understanding-6-key-gdpr-principles/