Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11272 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Who should access risk management documents
Answer: When you perform the risk assessment, you should also assess the risks related to these ISMS documents - if the risks are high, then you should allow only a very few people to access them; if the risks are low, then you can allow a wider circle of people to access them.
This principle is called the classification of information - you can find more information in this article: https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/ -
Defining the scope of ISO 27001
Answer: For a smaller company of up to 50 employees the best is to include your whole company into the ISO 27001 scope, because it would be too costly to try to keep a part of such small company out of the scope.
For larger companies (e.g. more than 500 employees) you should choose a department or a location to include in the scope for the beginning - after you successfully implement the standard in such smaller scope, then you can expand further.
For companies between 50 and 500 employees - you should assess which approach between the two described better fits you.
Here are some articles that will help you:
- How to define the ISMS scope: https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the ISMS scope: https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/ -defining-the-scope-in-iso-27001/
This free online training will also help you with scoping: ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/ -
Handling maintenance
Answer:
I list all equipment and determine which is critical and deserves/needs preventive maintenance. Those that are not critical I only record any curative maintenance done and costs incurred. ISO 9001:2015 is very general about infrastructure, what is important is its effectiveness. You don’t want nonconformities or delays, for example, because of equipment breakdown or equipment malfunction.
The following material will provide you information about maintenance:
- ISO 9001 blog - Understanding Resource Management in ISO 9001 - https://advisera.com/9001academy/blog/2014/02/11/understanding-resource-management-iso-9001/
- Plan for Preventive Maintenance of Equipment - https://advisera.com/9001academy/documentation/plan-preventive-maintenance-equipment/
- free online training ISO 9001:2015 Foundations Course - https://trainin g.advisera.com/course/iso-90012015-foundations-course/
- book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ -
AS9100 Rev D documentation
2. Requirements for Quality Manual at a minimum (without copying the AS9100 standard with wording changes to fit the organization.
Answer:
1. For the required documents I would recommend reading our free whitepaper on the documents required for AS9100: https://info.advisera.com/9100academy/free-download/as9100-rev-d-list-of-mandatory-documents
2. As for the quality manual this is no longer a strict requirement of AS9100 Rev D. However, in clause 4.4.2 the standard does mention a list of documented information that can be collected into a single source document and called a quality manual. This includes: description of relevant interested parties, scope of the QMS, description of organization processes and their application, the sequence of processes and the assignment of responsibilities and authorities for processes.
For some further help w ith implementation check out our project checklist: https://info.advisera.com/9100academy/free-download/project-checklist-for-as9100-rev-d-implementation -
Multi controllers
Answer:
“Controllers in common” or “independent controllers” are both processing personal data but independently and for different purposes and there is no requirement to have a document stating their obligations as they are both bound by the controller obligations under GDPR. The GDPR only requires to have such document between controllers and processors or between joint controllers.
This is the reason for which we don`t have such a document in the toolkit. Please no te that the Supplier Data Processing Agreement is not suited to be used in a controller to controller situation. -
Incident management procedure - treatment of minor events (3.3)
Answer:
ISO 27001 is not specific on how to record the incidents, which means you can do it in any way that you see fit. This means you could log minor incidents that happen the first time in the Incident log, but in such case I would recommend that you mark separately first-time incidents from those that are happening repeatedly. -
SoA - A.6.1.3 - Incident Response Plan
Answer:
Incident response plan is a document needed only if you want to become compliant with ISO 22301, it is not needed for ISO 27001. Therefore, it is not part of ISO 27001 Toolkit (it is a part of ISO 27001 & ISO 22301 Premium Toolkit).
To become compliant with ISO 27001 control A.6.1.3 (Contact with authorities) it is enough to specify in your Statement of Applicability who in your company will be in contact with e.g. police, regulatory agencies, etc. - the standard does not require you to have an extra document for that purpose. -
Are Annex A.11 controls mandatory?
Answer:
ISO 27001 says that none of the controls are mandatory, and that you have to apply a control only if there is a reason to do so. The reasons could be risk assessment, contractual or regulatory requirement, or e.g. business decision from your management.
So physical and environmental controls are not mandatory, and you should apply them only if the risks are too high, if you have some client asking you to do this, or if there is some other business reason to do so.
This article will help you: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
These materials will also help you regarding risk assessment and contr ols:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/ -
Ensuring contractual and regulatory requirements are met
We received these questions:
>1- Is this documentation mandatory?
Answer: According to ISO 27001, clause 7.5.1 b), documents considered by the organization as necessary for the effectiveness of the ISMS must be considered mandatory.
Said that, contracts, regulations, and laws that may be used as inputs to the risk management process or to define requirements for security controls must be considered mandatory.
>2 - Does this need to be stated in the security policy or can it be left out?
Answer: You can include an overall statement about complying with legal and contractual requirements, but I recommend that you keep this information separate from the Information Security Policy, because otherwise you might need to update the Policy too often. -
Business continuity documents for ISO 27001
Answer: Yes, this document is completely enough to become ISO 27001 compliant regarding business continuity.
The document: "operating processes for information and communication technology" in folder 12 of the toolkit talks about a business continuity management strategy as an referential document. There isn’t any template about that strategy, right? Can we delete this referential document about the business continuity management strategy?
Answer: There is no Business Continuity Strategy template in the ISO 27001 Toolkit - feel free to delete this reference. This strategy is part of ISO 27001 & ISO 22301 Toolkit, and is needed only if you want to become ISO 22301 compliant.