Search results

Requirements for MSP Company Regarding Supplier Security Policy

I’m assuming you are looking for accredited certification bodies.

Considering that, please note that there is no central list of ISO 27001 certification bodies site. The main certification bodies for ISO 27001 are:

• BSI: https://www.bsigroup.com
• Bureau Veritas: https://www.dnvgl.com/
• DNV: https://www.dnvgl.com/services?ServiceTypes=136423
• SGS: www.sgs.com/
• TUV: www.tuv.com

This article will provide you with further explanation about selecting a certification body:

• How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

Implementation of ISO 27001 already having a QMS (ISO 13485) in the company

I agree with Rhand.

Most clients I've dealt with usually combine their management systems such as ISO27001 together with other management standards such as ISO9001 and ISO14001.

ISO 27001 Audit

The absence of an HR manager would be a problem in an audit only in case this absence impacts negatively information security in an unacceptable way (e.g., the relevant information is lost or information security processes are interrupted), and you do not have a planned treatment for this situation.  

If there are no negative impacts to information security due HR manager's absence, or devised actions like formally designating a temporary substitute (that could be one of the junior employees or a manager from another area) have reduced the risks to acceptable levels, this absence wouldn’t be a problem in the audit.

The best way to handle this situation is to include some kind of risk like “Loss of key personnel” in your information security risk management process and use the process to define if the risk is relevant or not, and in case it is relevant, define proper actions to treat the risk.

These articles will provide you with further explanation:

• Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
• Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

ISMS Roles and Organisation within Conformio

Besides Top Management, ISO 27001 does not prescribe roles to be related to information security management, so organizations can define them as best fit their needs.

Common practice is to attribute information security responsibilities to already existing roles in the organization (e.g., responsibilities for IT security designated to the IT manager, responsibilities for physical security designated to the operations officer, etc.).

Conformio’s roles were designed considering the most common organizational roles (e.g., IT manager, HR manager, Finance manager, etc.).

These articles will provide you with further explanation:

• Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
• How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

Statutory, regulatory, and contractual requirements (clause A.18.1.1)

I’m assuming you are referring to the article “List of mandatory documents required by ISO 27001 (2013 revision)”.

Considering that, the item “Statutory, regulatory, and contractual requirements (clause A.18.1.1)” refers to the document “List of Legal, Regulatory, Contractual and Other Requirements” included in the List of documents file. It is located in the folder “Identification of Requirements”.

ISMS and BCMS

1. In the document "PROCEDURE FOR THE CONTROL OF DOCUMENTS AND RECORDS", I have to choose between ISMS and SMCA.

When filling out the "PROJECT PLAN", I read one of your comments "Delete this text and the table if business continuity management is not part of the project."

Can we do both with your kit? Does choosing the ISMS automatically include the SMCA?

I’m assuming that by SMCA you mean Système de Management de la Continuité des Activités

Considering that, the FR ISO 27001 Documentation Toolkit you bought can be used only to implement ISO 27001. What happens is that some templates in the ISO 27001 Documentation Toolkit are also used for ISO 22301 implementation, but your toolkit does not have all templates for implementing ISO 22301 (this is not an automatic choice, you need to choose the toolkit according to your specific needs).

For implementing both ISO 27001 and ISO 22301 you will need the ISO 27001 & ISO 22301 Premium Documentation Toolkit (this toolkit contains all templates designed for both ISO 27001 and ISO 22301): https://advisera.com/27001academy/fr/boite-a-outils-iso-27001-iso-22301-premium/

2.In the document "PROCEDURE FOR THE CONTROL OF DOCUMENTS AND RECORDS", we must define the Title of a post ensuring the conformity of the documents.

We are 5 in the company. I am the founder and I took charge of the file. Should I put my name, my post of "President" or other.

Can I put my role in this "Quality Manager" project?

ISO 27001 does not specify how to identify responsibilities in documents, but common practice is to use job titles, so in case a person is replaced you do not need to update the document.

Considering your case, if the "Quality Manager" role will be used after the project is concluded then you can use it. If not you should use the “President” role.

Control plan

I assume your question is with a finding written in the IATF audit. The control plan describes what the process and product controls should be, the frequency of control, and the recording location. The responsible person should make these checks and write the actual values in the relevant form. If these controls are missing. Since the control plan is not complied with, a finding can be written from item 8.5.1.1 of IATF 16949 standard, or the production monitoring item can be found in 9.1.1.1 of IATF 16949 standard. If this issue appeared during the set-up controls. Findings can also be written from article 8.5.1.3 of the IATF 16949 standard. 

ISO 27001 certification question

An ISO 27001 certification means that an organization complies only with the requirements of the ISO 27001 standard. It does not mean compliance with other regulations or boards.

For further information, see:

• How to get ISO 27001 certified https://advisera.com/27001academy/iso-27001-certification/

• Change in ISMS

  ISO 27001 does not prescribe the contents of change records, so organizations can develop them as they see fit.

  To see an example, I suggest you take a look at the free demo of our Request for Change and Change Record at this link: https://advisera.com/20000academy/documentation/request-for-change-and-change-record/, but remember that such a form is not really needed for ISO 27001 compliance.

  For further information see:

  • How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

  • ISO stand out

    I’m assuming that by KSA you mean the Kingdom of Saudi Arabia and that NCA ECC are the Cyber Security Controls from the National Cyber Security Authority.

    Considering that, please note that NAC ECC focuses on cybersecurity domains, while ISO 27001 is more comprehensive (you can use it in non-technological based environments for example). 

    Additionally, in a closer look, you can identify that all controls from ISO 27001 Annex A are covered by NAC ECC, but applied with a cybersecurity orientation.

    So, the main difference between NAC ECC is not related to controls, but to their applicability (ISO 27001 is more comprehensive), and that a company can get ISO 27001 certified, and the ISO 27001 standard is recognized worldwide.