Search results

Questions about Scope of my ISMS ISO 27001:2013

1. Should I write the exact listing of all the information assets covered?

2. Should I write the exact list of the information provided?

3. Should I write the exact list of applications / software covered?

4. Should I write the exact list of the physical offices covered?

5. Should I write the exact listing of the databases covered?

6. Should I write the exact list of websites / mobile applications covered?

7. If I want to include all the information assets of my organization is it sufficient to write: "The scope of the SGSI covers all the information assets of the Organization" or do I have to be explicit by detailing all the information assets?

This answer applies to questions 1 to 7.

The ISMS scope is normally defined in terms of general information (e.g., business information, customer information, R&D information, etc.), processes (SW development process, customer support process, sales process, etc.) or location (e.g., headquarters, an office, a building, etc.) to be protected, so you do not need to include assets in the definition of the ISMS scope.

For further information, see:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/

8. Do I have virtual machines on Microsoft Azure that run critical applications, should I specify that the scope only covers the applications installed on these virtual machines that are on Microsoft Azure? or should I also include the virtual machines and their contents?

When dealing with cloud services, you need to include in the ISMS only the elements you are responsible for. The other elements can be left out of the scope.

In this case, if you control the virtual machines (i.e., their maintenance and operation), then you need to include them in the ISMS. In case not, you only need to include the applications in the ISMS scope.

For further information, see:

• Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

9. We currently have corporate mail with GOOGLE, is mail a critical asset in our organization, should I also include it in its scope if a service provided by a third party? What considerations do you have in the writing in the link at the level of this service?

In this case, since GOOGLE provides email as a service, you need to include in the ISMS scope only the email data.

10. Currently we send our customers emails and massive newsletters that contain important business information, are these emails and newsletters sent through a provider's software, should I also include it in the scope of a service provided by a third party? What considerations do you have in the writing in the link at the level of this service?

In the ISMS scope, you need to include the reference to the data, and mention that related services are provided by third parties.

Swiss Notified Bodies

No, it means that you can sell all products. Class I must be in compliance with the MDR from May 2021. So, you have a very good client that follows everything necessary. 

Legal and contractual requirements question

First is important to note that the article linked to the template is only a starting point (it is updated by contributions of our readers and may not be fully updated). Our recommendation is for you to seek local legal advice so they can help you identify other legal requirements you need to consider for your ISO 27001 implementation (e.g., local laws and regulations).

ISO 27001 does not prescribe how long the list of Legal, Regulatory, and Contractual requirements must be. It is likely your list will be short since normally transportation companies are not security regulated, but they might have some privacy regulations that are applicable. 

For further information, see:

How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301/
How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

Mapping of requirements categories to ISO 27001 controls

1) There may be a requirement for some controls for the HR department. We would then choose something like ‘Human Resources Security’ from the dropdown list for the Area field, right?

But my point is that there is no option for Human Resources Security available from the dropdown list for the Area field.

 So my initial question some time ago was, why is Human Resources not listed as an area? Is this an omission (a bug) or has this been left out deliberately? And if so, why is this left out when all other control categories are available from the area drop down list.

Answer: The absence of a Human Resources Security area is a design decision because HR security controls are related to the following areas:
Managing security with suppliers and partners: A.7.1.1, A.7.1.2, A.7.2.2

Confidentiality obligations and non-disclosure agreements: A.7.1.2, A.7.3.1

Handling security events, incidents, and data breaches: A.7.2.3

Control A.7.2.1 is related to the Information Security Policy

But you are right, we will add the HR area to make the Register more user friendly.

2) I understand the reasoning behind mandatory safeguards, but my question about that was where do these requirements show up in the SoA? Or do they need to be added to the SoA manually?

I do believe that the combination of allowing the selection of an area together with the ability to specify individual controls would be taking the best of both worlds. I have made this suggestion to Aleksandra as art of request 63693.

Answer: When a requirement area is chosen in the Register of requirements, the related controls will be displayed automatically in the Statement of Applicability. There is no need for manual addition.

In case of need, i.e., when you need to related a control to a specific requirement not automatically defined, you can edit the specific justification in the SoA and make the inclusion manually.

Corrective actions and nonconformities

Nonconformities found in the internal audit only will become a problem in the external audit if they are not solved as planned (i.e., actions related to them are not performed or are delayed without proper justification), or if there is a recurrence of the same nonconformity (this may mean that the root causes were not eliminated). In case they are solved as planned and there are no recurrences they will not mean a problem in the external audit.  

Please note that ISO 27001 does not require non-conformities in internal audits to be classified. Normally non-conformities are classified during surveillance/certification audits.

For further information, see:

• Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/

Rules on a laboratory notebook

A laboratory can use any medium and format to record technical data as long as the technical information is captured at the time of the activity, it is controlled and retained. The information must be traceable to personnel, equipment and time of activity to meet ISO 17025 clause 7.5 requirements.

For more information regarding Records, see the ISO 17025 toolkit document template: Document and Record Control Procedure at https://advisera.com/17025academy/documentation/document-and-record-control-procedure/ as well as Control of data and information management, see the ISO 17025 toolkit document template: Quality Assurance Procedure at https://advisera.com/17025academy/documentation/quality-assurance-procedure/

ISO 27001 and ISO23301 Policies

1. Currently the password policy is part of the ISMS and has couple of lines. The policy is a framework that does not provide technical details. I see your policy template is slightly more expanded. What other document/statement/process/procedure I need to develop to complement this policy which will include a details of the implementation and controls we use within the organization.

Answer: Documents you may consider to complement this policy are related to how to configure the password rules for users and for password management in specific operating systems and applications (e.g., one procedure for such configuration on Windows SO, another for Mac SO, etc.).

Please note that ISO 27001 is based on a risk management approach, so, from a standard’s point of view, such documents are necessary only if you have relevant risks that justify their implementation. If such risks do not exist, you do not need to create additional documents.

For further information, see:
- Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

2. The password policy does not work. The people are using digital files to store their password, use the browser to remember their passwords or private password management apps. How would I define the risk associated with this. I thought risk of noncompliance, but this is not to correct main risk. So what would be the risk associated with not correctly defined password policy.

Answer:  Considering that stated scenario, you should consider at least two risks:
- loss of confidentiality, in case passwords are leaked due to, e.g., improper storage, and unauthorized people have access to them.
- loss of availability, in case passwords are lost due to, e.g., fire or media corruption and people are unable to open the files/folders they need.  

3. We have no patch policy and need to define the risk. Please note we have robust patch policy which is decent. The only issue we have is that some users do not use the devices and they become high risk. Any info on the Risk definition as well as what we can enforce so the devices are connected once in a while (month) would be appreciated.

Answer: From your statement, I’m assuming you do not have a Patch Policy document, but you have e robust patch process.

Considering that, a risk you should consider is that devices become vulnerable due to long periods without getting updated. Regarding applicable controls, if users do not use the devices, as you said, controls to enforce updates won’t be much use without monitoring controls to identify which devices have missed important updates.

You can see how to set these rules in the IT Security Policy template, section 3.16.2 Basic rules. This template is located in folder 08 Annex A Security Controls >> A.8 Asset Management

4. We have no weekly vulnerably scanning. I am not sure how to define what is the RISK in terms of definition

Answer: Without periodic vulnerability scanning, you may miss relevant zero-day threats or updates released by manufacturers that need to be applied to your assets, and outdated software may pose a risk to information security.

5. Same is for not have visibility of the security stack. The support company is slow to provide me with reporting and read access to the security systems in place. I have not good reporting to provide SME to the board.

Answer: The risk here is related to unavailable information about provided services, which may impact decision-making about information security and/or business initiatives.

In the Risk Assessment table included in your toolkit (in folder 05 Risk Assessment and Risk Treatment) you can find a set of suggestions of assets, threats, and vulnerabilities you can use to identify risks. Third-party services are also assessed through this document.

For further information, see:
- Risk assessment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

BC/DR

6. On the BC/DR where do I start. We have one general overview of the BC/DR as a policy with people hierarchy.

Answer: To develop the BC/DR plans you only need to follow the steps in the “Business continuity” folder, and fill out the documents in the order they are presented in the folder.

7. Resilience and Emergency Planning exercise - We previously did a live one but should consider table top and other ways of doing (I have not been involved). What would be your recommendation how to lead, prepare for this. Please note my previous company was only 30 people and was straight forward. Now is 250, number of departments and needs to follow some Government framework.

The Total blackout plan (week of no electricity). Please note our business would not suffer any damage from this downtime. Only couple of people after that period need to be able to communicate

Any suggestions where to start with will be great.

Answer: Approaches you can consider for performing BCP tests will vary considering the effort, resource allocation, and required confidence on tests results:
Desk check – checking the plans by means of auditing, validation, and verification techniques
Plan walk-through – checking the plans by means of team interaction
Functional testing – testing all interrelated plans for selected activities (including supplier procedures) with real resources in a controlled (announced) exercise.
Full testing – all activities are relocated from the original site to the alternative site (announced or unannounced)

Our suggestion is to start with a Desk check and prepare a plan defining when other tests can be performed. This way you can ensure a gradual increase in test effort, while all people involved will gain confidence in the plan and in their skills to perform it, and at the same time, you can provide the required corrective and preventive actions.  

 For conducting BCP and DRP tests the most important points are:
- Defining the purpose of the test (e.g., check if the activities are still valid if personnel are aware of them and know how to perform them, etc)
- Define clear goals (e.g., the maximum time to conclude the test, which is how many activities were recovered, etc.)
- define test strategy (e.g., tabletop, walk-through, simulation, etc.)
- identify corrections to be made and opportunities for improvement  

ISO 22301 does not prescribe a number of disaster recovery simulations or tests to be conducted per year, only that tests must be performed to provide enough confidence that the plans will work properly when needed.

Considering that, the number and type of tests to be performed should consider:
- the criticality of the plan for business continuity (i.e., which processes and services they are related to)
- the results of risk assessment and business impact analysis
- applicable legal requirements (e.g., laws, regulations, and contracts.)

In most cases, exercising and testing are done once a year. 

This article will provide you a further explanation about BCP and DRP test:
- How to perform business continuity exercising and testing according to ISO 22301 https://advisera.com/27001academy/blog/2015/02/02/how-to-perform-business-continuity-exercising-and-testing-according-to-iso-22301/

This material will also help you regarding BCP and DRP test:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/books/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

ISO 9001:2015 version revision

ISO 9001:2015 will not expire in September. Period!

What happened recently was the decision to start writing the specification that will guide the development project of a new version https://committee.iso.org/sites/tc176sc2/home/news/content-left-area/news-and-updates/iso-9001-design-specification-to.html

It will still take about 3 to 5 years to have a new version.

Closing the NC - Processes to follow

It is very difficult to help you close this NC when we don’t know what is/are the root cause(s). Have you determined the environmental aspects and impacts associated with the manufacturing process? If not, you have to. If yes, have you determined the situations associated with potential accidents and emergencies? If you don't have to. If yes, what failed? Did you misjudge the seriousness potential of these situations? Have you not developed the means and practices of prevention and response? For each step of the manufacturing process, think about:

• what can go wrong?
• what can we control or watch to avoid or minimize the possibility of going wrong?
• what practices should you adopt to avoid or minimize the possibility of going wrong?
• what training and awareness should you give to avoid or minimize the possibility of going wrong?
• what means of response should you have to respond if despite everything, the accident or emergency situation occurs?
• what simulations should you try to prepare people and evaluate means of response?

You can find more information below: