Search results

Annex A controls

Please note that many of the clauses and controls you mentioned do not need to be documented according to the standard, and in our opinion, it would be an overhead to document each and every one of them in a small company. 

Our ISO 27001 Documentation Toolkit was designed to cover all mandatory documents and some documents that are not mandatory but are commonly used.

Our toolkit is created specifically for smaller companies that want to implement ISO 27001 in a quick way, without unnecessary paperwork.

For faster verification, you can use the List of documents file included in the toolkit. This document shows you which controls are covered by each template.

In case there is a document you need to implement that is not in the toolkit, you can request support from us to help develop it.

This article will also help you: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ 

ISO 27001 Documentation

In your toolkit, there is an Inventory of assets template that you can use to track assets. This template is located in folder 08 Annex A Security Controls >> A.8 Asset Management

For further information, see:

• Asset management according to ISO 27001: How to handle an asset register/asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

Three-Year ISO Certification Cycle

This three-year cycle period was a recommendation from the International Accreditation Forum (IAF) for certification bodies to be compliant with ISO 17021, the ISO standard which defines requirements for certification bodies.

IAF sets common requirements for organizations acting as certification bodies.

13485 Implementation

In section 1 Scope of the ISO 13485:2016 is stated that this standard is both for the medical device and related services. So, yes it is possible to implement ISO 13485 for providing the service. The best approach to this situation is that wherever you see the word production, read it as service. So when you will go through 7.5 Production and service provision, just look at it from the aspect of service provision.

Of course, certain requirements will not be applicable to your company,  therefore, you will not prepare any documentation for these requests (like for sterilization, installation, or work environment, and so on).

Conformio Risk Register

Conformio does not have a risk register module based on an information-focused approach, because “information-focused” is not an approach for risk assessment, but the way you need to see risks when using a risk assessment approach.

Please note that clause 6.1.2.c.1 does not define a risk assessment method, only that the chosen approach focuses on risks related to the loss of confidentiality, integrity, and availability of information the ISMS is intended to protect (which is to be “information-focused”).

Considering that, all chosen approaches for information security risk assessment (e.g., asset-based, process-based, scenario-based, etc.) need to be information-focused.

The asset-based approach used in Conformio’s Risk Register is information-focused because each asset vulnerability threat is defined in a way that leads to a potential loss of confidentiality, integrity, and availability of information.

For example, the risk of “paper report – single copy – fire” leads to a potential loss of confidentiality.

For further information, see:

• How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#section8

SOPs SWIs etc.

It is important to note that while there is a documentation structure procedure, ISO 10013:2001, this structure is not required in the ISO management systems. It is a structure that is recommended for complex systems, but smaller companies do not need to have this sort of complex, multi-level system.

In this system, a policy is the top level, and gives the statement of intent on something. So, a policy that hazard identification will be done and why would be in a policy. A procedure is intended to give the who, what where, when and why of the activity. So, a procedure will give these details of the hazard identification. The work instruction gives the step-by-step instructions of how to do something, like how to do the hazard assessment, or how to actually do a process step-by-step to ensure safe operation.

Of course, nothing dictates that these need to be separate. You can include policy statements, procedure statements and step-by-step instructions in one document if you wish; including different sections for each work instruction for each type of welding. As stated at the beginning, this is the sort of structure that a large company might use, and is not necessarily required. To avoid duplication each work instruction will link to 1 procedure, and several procedures may link to 1 policy.

You can read more on the ISO documentation model in the following article from the 9100Academy that is applicable to all ISO management systems: How to structure AS9100 Rev D documentation, https://advisera.com/9100academy/knowledgebase/how-to-structure-as9100-rev-d-documentation/

Query on Business Continuity Plan

Please note that the RTO is related to the time needed to recover minimal agreed service levels after disruption is detected, not to the duration of an incident.

So, a more proper statement would be that the DRP will be activated as long as the time to recover minimal agreed service levels exceeds the established RTO time.

For example, in a disruption caused by a lightning bolt, the incident can be over in seconds, while in a disruption caused by fire, it may take several hours for the fire to be extinguished.

In the fire situation, you do not need to wait for the fire to be controlled to assess the time for recovery, compare it with the RTO, and decide to activate the DRP.

This article will provide you with further explanation about RTO:

• What is the difference between Recovery Time Objective (RTO) and Recovery Point Objective (RPO)? https://advisera.com/27001academy/knowledgebase/what-is-the-difference-between-recovery-time-objective-rto-and-recovery-point-objective-rpo/

Enterprise Account for Security Awareness Programs

Please note that ISO 22301 objective is business continuity, so its core processes are quite different from ISO 27001. While ISO 27001 focuses on risk management for information security, ISO 22301 focuses on business impact analysis for business continuity.

I suggest you take a look at the free demo of our ISO 22301 Documentation Toolkit to see a preview of the templates: https://advisera.com/27001academy/iso22301-documentation-toolkit/

This article will provide you with further explanation about ISO 22301:

• What is ISO 22301 https://advisera.com/27001academy/what-is-iso-22301/

This material will also help you regarding ISO 22301:

• Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/27001academy/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/

ISMS implementation

1 - In document 2.1 it asks for requirements. It is not clear to me how to identify those requirements. Can we link them to controls from the Annex?

Answer: The requirements related to the template “List of Legal Regulatory Contractual and Other Requirements” refers to needs and expectations defined in laws, regulations, and contracts the organization must fulfill (e.g., protection of privacy due to GDPR, service continuity due to a Service Level Agreement with a customer, etc.). 

Such requirements, together with the results of risk assessment, provide the bases for the definition of which controls from ISO 27001 Annex A will be implemented by an organization to protect information.

For further information, see:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

2 - For the ISMS Scope: we want to certify only our location in *** and we were advised by certification bodies to not mention our second location in *** at all. However, our processes happen regardless of the location and part of them happens in ***. Can we (and how) exclude *** from the ISMS while keeping the processes?

Answer: You can define the ISMS scope only in terms of site *** and treat site *** as an external party (e.g., like a supplier).

This way you can treat information security for them by means of “service agreements”, and they would not be a direct part of the ISMS scope.

For further information, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

3 - Given that it's the first time we implement ISO in aug.e, what are the steps we should follow regarding filling in the documents? It seems to us that we will have to go back and forth in a way that will be quite confusing. I couldn't find any relevant information in the Advisera courses.

Answer: Please note that for conducting the implementation in the most efficient way you should implement the documents in the order they are displayed in the folders in the toolkit (i.e., first the Procedure for Document and Record Control, then the EU GDPR Readiness Assessment, then the Project Plan, the Procedure for Identification of Requirements, and so on).

Questions to be asked in an audit checklist

Thanks for the key questions.