NOTE : 'Control 12.4 Logging and Monitoring' has been marked applicable in the Statement of Applicability.
Answer: By monitoring you are collecting and recording information about specific events, while review refers to a critical evaluation of the gathered results (and sometimes the set of data can show relevant information that cannot be seen from isolated events), so these are different actions, and control A.12.4.1 (Event logging Control) requires not only log recording, but also the review of the collected data.
Answer: The scope statement should be known by the personnel who:
- handles the information the ISMS is intended to protect;
- work on the locations included in the ISMS scope;
- work on the processes described in the ISMS scope
Additionally, personnel that may affect or be affected by the ISMS (e.g., customers, suppliers, regulators) should be informed about the content that are relevant to them.
Answer: ISO 27001 was designed to be used by organizations of any size and industry, so there are no specific conditions required for performing a gap assessment for a bank, and you can rely on common used techniques like interviews with key personnel, documentation review and observation of daily operations.
Its simple question-and-answer format allows you to visualize which specific elements of an information security management system you’ve already implemented, and what you still need to do.
PCI DSS and ISO 27001
What i am trying to do is to compare ISO 27001, PCI DSS and SWIFT Customer Security Program to see which controls overlap. Any assistance?
This simple question-and-answer format will help you to visualize which specific elements of an ISO 27001 information security management system you’ve already implemented, and what you still need to do.
These articles will provide you further explanation about PCI DSS and ISO 27001:
Answer: You do not need to create separated documents to comply with ISO 27001 if you already have documents that cover similar requirements for ISO 9001 (e.g., control of documents, internal audit, management review, etc.), but you have to take care to adjust them to cover ISO 27001 requirements and your need for information security, and not simply write that the ISO 9001 documents also refer to the Companies ISO 27001 (e.g., in an hypothetical situation, if your internal audit for ISO 9001 is annual, but for any reason the ISO 27001 internal audit is semi-annual, then this difference should be adjusted in your internal audit procedure).
Answer:
1. About “how many documents” please keep in mind two phrases in ISO 9001: “keep documented information” and “maintain documented information”.
“keep documented information” means keeping records like an order from a customer, a validation checklist or a training session. Keep in mind that records can be in digital as well as in paper.
“maintain documented information” means keeping updated documents like the quality policy, or the scope of the system, or a procedure. ISO 9001:2015 does not include any requirement for mandatory p rocedures, it is up to each organization to decide what needs to maintain as a documented procedure. For example, an IT company can maintain procedures as digital checklists.
2.About the scope. For example, I work with an IT company that has three groups of customers to whom they develop software: manufacturing shoes companies; B2B commerce of fruits and vegetables and recycling companies. When developing their quality management system, they decided to just include under the certification scope the development, commercialization and service of software for the shoes manufacturing industry, because the other customers will not value working with a certified supplier.
The following material will provide you information about documented information and scope:
Most of the documents which are marked as not mandatory are either guidance documents which are not mandated by the EU GDPR or forms that are nor mandatory and can be changed based on the requirements of your business.
Also, the whole section 8 regarding Security of Processing is marked as not mandatory because the EU GDPR requires controller and processors to have “adequate” technical and organizational measures in place to protect personal data based on the risk of processing so each organization needs to assess its own risk and decide upon the security measures.
About procedures and manual, they are no longer mandatory – different from forbidden. Something that gives organizations much more freedom to adapt and use what they find useful, and when they find it useful.
The following material will provide you information about the main changes with ISO 9001:2015:
You want to make a fair and rather complete assessment of how your organization interacts or may interact with the environment. Please consider Annex A.6.1.2 where it states clearly that one should consider normal and abnormal operating conditions, shut-down and start-up conditions, as well as reasonably foreseeable emergency situations.
The following material will provide you information about assessment of environmental interactions:
• Your identity, contact details and details of your representative (if any);
• The contact details of your data protection officer;
• The purpose and legal basis of processing. Where legitimate interests is relied upon, details of those interests;
• The right to withdraw consent (if this is the basis for any processing;
• The categories of personal data processed;
• The recipients or categories of recipients of personal data;
• Details of any intended transfer outside the Union. Details of any safeguards relied upon and the means to obtain copies of transfer agreements;
• The period for which data will be stored or the criteria used to determine this period;
• A list of the individual’s rights, including the right to object to direct marketing, make a subject access request, and to be “forgotten”;
• Details of any automated decision making, including details of the logic used and potential consequences for the individual;
• Whether provision of personal data is a statutory or contractual requirement, whether disclosure is mandatory and the consequence of not disclosing personal data;
• The right to complain to a supervisory authority;