Search results

Backup and DR plans - outsourced services

Please note that RTOs are usually set at the department level, while RPOs are set at the application level.

Considering that you do not need to define a specific RTO for each application. They will inherit the RTO from the business departments they are related to.

Regarding the RPO, you can group them according to their criticality or other predefined criteria (e.g., belonging to the same department or process, having a similar RPO) and defining a single RPO for the whole group. Therefore, you will have a different RPO for each of your 3 categories of applications.

This would make your administration job easier. But you need to evaluate the impact of adopting general RTOs/RPOs considering the allocation of resources and fulfillment of legal requirements. 

These articles will provide you with further explanation about RPO and RTO:

• What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/
• Explanation of the most common business continuity terms https://advisera.com/27001academy/blog/2021/01/18/explanation-of-most-common-business-continuity-terms/

• ISO 27001 Scope Document

  1 - Do we need to show network documentation of all offices in the ISMS scope, or can we put reference links to the documentation?

  For the ISMS scope document, there is no need to show network documentation, but if you want you can include reference links to detailed documentation. 

  2 - Do we need to include network diagrams of each office in the ISMS scope document?

  There is no need to include high-level topology diagrams, but if you want you can include reference like those included on page 5 of each of your documents to give an overview of the network topology.

  3 - Do we need to include the XYZ1 office in the scope as the whole outsourcing department works from XYZ2, and it's only the senior managers like the CEO and Founder who work from  XYZ1 including the IT security administrator?

  Yes, you should include the XYZ1 office in the scope, or at least the part of the office with senior management and the IT security administrator.

  4 - Will the ISMS scope focus on the outsourcing department's IT infrastructure be enough, or do we need to implement the ISMS scope to cover the *** IT operations infrastructure across the business?

  This answer will depend on the information you want to protect. In case you want to protect the information handled and processed by ***, then you need to include the IT operations infrastructure that runs across the business. If this is not the case, then the scope covering the Outsourcing departments will be enough.

• SOA Control Objectives

  The controls listed in the SoA template included in the ISO 27001:2022 toolkit are the same ones defined in the ISO 27002:2022.

  Please note that the column “Control Objectives” needs to be filled in by the organization. Control objectives are not mandatory in SoA, but including them in the SoA will make it easier to follow them, and reduce administrative effort to keep them in a separate document.

  These articles will provide you with further explanation about ISO 27001 and ISO 27002 controls:

  • ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
  • Main changes in the new ISO 27002 2022 revision https://advisera.com/27001academy/blog/2022/01/30/main-changes-in-the-upcoming-new-version-of-iso-27002/
  • Detailed explanation of 11 new security controls in ISO 27001:2022 https://advisera.com/27001academy/explanation-of-11-new-iso-27001-2022-controls/

  • Add Further Reference Documents

    You can address these requirements in your ISMS by including the ISM and the RFRR as legal requirements in the Register of Requirements module.

    In addition to including these requirements in the Register of Requirements, you need to implement the security controls related to them. These will be automatically identified in the Statement of Applicability when you define the information in the “To what area is this requirement related?” field in the Register of Requirements module for each entry.

    Considering the ISM, suggested areas are “Specifying mandatory safeguards” or “Identification of stakeholders and security requirements”.

    Considering the RFFR, the suggested area is “Risk Management”.

  • ISO 27001 - Question nonconformities

    Please note that findings do not become nonconformities because they are related to risks, but because they evidence noncompliance with defined rules (e.g., policies and procedures), planned actions (e.g., actions not executed or wrongly executed), or expected results (e.g., missing results or wrong results).

    Regarding nonconformities classification, ISO 27001 does not require them to be classified, so you can adopt criteria that best fit your needs. Associating them to a risk level is an acceptable criterion. Certification audits adopt minor and major levels to classify nonconformities, and this is also an option for you.

    This article will provide you with further explanation about the classification of nonconformities:

    • Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/

  • Determining necessary security measures

    1- From the role of DPO in a Spanish company (provider of Head Hunting and Personnel Search services) that has begun its adaptation to GDPR, how should the actions to be taken be planned in an orderly manner to determine the necessary security measures? , which guarantee the rights of users (candidates who apply for Internet searches and through forms/questionnaires to be completed on the institutional website of the Spanish company) and also the security of the information of their personal data (sensitive because they have health data)?

    We have an EU GDPR Documentation Toolkit which is structured in a simple and intuitive way to help you drive your GDPR-Compliance project. You can start with the Project Plan, in the first Directory, and gather all the necessary information to fill in all the required documents. The toolkit also contains privacy notices templates that you can use to inform the candidates about how you process their personal data. Moreover, you also have Live Expert Support, should you require it. 

    On our website we also have resources that you can use, please consult these links as well:

    • 9 steps for implementing GDPR: https://advisera.com/articles/9-steps-for-implementing-gdpr/
    • A summary of 10 key GDPR requirements: https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements
    • EU GDPR Document Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/

    2. Would there be a document or article published on the Internet that has a mapping between what is required by GDPR and what is recommended by good practices: ISO 27001, ISO 27701, ISO 27002, ISO 27018?

    We have a free webinar – How to integrate GDPR with ISO 27001 – which we offer for free, you can listen to the recording or join the next time it will be live. Also, we have some free resources on our website, please consult these links as well:

    • How an ISO 27001 expert can become a GDPR data protection officer: https://advisera.com/27001academy/blog/2020/01/20/iso-27001-practitioner-becoming-a-gdpr-data-protection-officer/
    • What is EU GDPR and how can ISO 27001 help?: https://info.advisera.com/27001academy/free-download/what-is-eu-gdpr-and-how-can-iso-27001-help
    • Relationship between ISO 27701, ISO 27001, and ISO 27002: https://advisera.com/27001academy/blog/2019/12/10/relationship-between-iso-27701-iso-27001-and-iso-27002/
    • How to integrate GDPR with ISO 27001: https://advisera.com/eugdpracademy/webinar/how-to-integrate-gdpr-with-iso-27001-free-webinar-on-demand/

  • Labeling of medical device accessories

    The standard that talks about symbols for medical products is ISO 15223-1:2021. There is no laser symbol specifically in it, but it says that the manufacturer is responsible for conducting a risk analysis based on which he will assess what information he must provide to the user. In your risk analysis, the danger of laser beams must be covered, so it is logical that such a symbol exists on the product.

  • Supplier Security Policy

    I’m assuming you are referring to the text “, as well as audit the supplier or partner at least once a year.” in section 3.5 of the Supplier Security Policy.

    Considering that this text means that, as you need to audit your processes, you also need to audit suppliers and partners to ensure they have implemented the security controls you agreed with them, and if the controls are performing properly.

    Please note that such audits are required only if control A.15.2.1 - Monitoring and review of supplier services is stated as applicable in the Statement of Applicability.

    Additionally, there are different types of audits, some more thorough (e.g., a comprehensive local audit), others simpler (e.g., verification of applied security clauses), and you should consider criteria such as the criticality of the supplier, results of previous audits and incidents history to decide which audit approach to apply.

    For further information, see:

    • 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
    • How to perform an ISO 27001 second-party audit of an outsourced supplier https://advisera.com/27001academy/blog/2017/10/10/how-to-perform-an-iso-27001-second-party-audit-of-an-outsourced-supplier/

  • Internal Audit Questions

    1. On the first management review meeting should we discuss about the Internal Audit  

    Results of performed internal audits are mandatory inputs to be discussed in the management review.

    For further information, see:

    • Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/

    2. Should the project manager gather all pieces of information during the project implementation

    The project manager is responsible to ensure that information needed for the ISMS implementation is identified and gathered by the information owners (e.g., department heads, process owners, users, etc.).

    Please note that the project manager has a coordinator role regarding tasks to be performed in the ISMS implementation project.

    For further information, see:

    • RACI matrix for ISO 27001 implementation project https://advisera.com/27001academy/blog/2018/11/05/raci-matrix-for-iso-27001-implementation-project/

  • ISO security framework or standard for IoT

    I’m assuming that by CSA you mean Cloud Security Alliance.

    Considering that, ISO has three specific standards related to IoT:

    • ISO/IEC 21823-2:2020 Internet of things (IoT) — Interoperability for IoT systems — Part 2: Transport interoperability
    • ISO/IEC TR 30164:2020 Internet of things (IoT) — Edge computing
    • ISO/IEC TR 30166:2020 Internet of things (IoT) — Industrial IoT

    They do not define a security framework for IoT, but security requirements that need to be considered (e.g., Security and privacy, by ISO/IEC TR 30164:2020, and Security requirements by ISO/IEC 21823-2:2020), and ISO 27001 can be used to implement the security framework to fulfill such requirements.

    These articles will provide you with further explanation about ISO 27001 and how to work with security controls:

    • The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
    • Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/