Search results

ISO 27001 Contact with Authorities

First is important to note that this answer greatly depends on the information about your organization’s industry.

For example, organizations’ from the critical infrastructure industry (e.g., chemical, communication, emergency services, energy, etc.) the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) would be examples.

We suggest you seek legal expert advice to identify authorities related to your organization’s industry.

Split between EU GDPR and UK GDPR

The scenario you are describing can be analysed from an IT Security perspective, and through a privacy-compliance perspective. From an IT Security perspective, the company might ask each employee to use a specific combination of username/password to make sure that it has a better control on company’s assets. There are modern technologies that allow recovery of lost passwords or account elevation, but certain companies might chose this approach. So from an IT Security perspective, if a company employs certain controls related to how these usernames/passwords can be used (in order to avoid impersonation of users), the scenario might be OK. From a privacy-compliance perspective, article 25 GDPR - Data protection by design and by default –mentions that: “the controller shall […] implement appropriate technical and organizational measures […] which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.” and that “The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed”, so in order to be GDPR-compliant, the company should deploy a thorough IT Security Policy describing all the controls implemented to protect the private lives of employees, an Access Control Policy to establish who can access what resource and when, a BYOD (Bring Your Own Device) Policy if employees use their own devices, and a Mobile Device and Teleworking Policy if the employees work from home. These policies should be amended with the necessary controls to make sure that impersonation of users is avoided. You can find templates for these documents in our EU GDPR Premium Documentation Toolkit.

Also, in Article 5 GDPR - Principles relating to the processing of personal data – the third principle, at para 1. c is called the principle of minimization: the personal data must be adequate, relevant, and limited to what is necessary for relation to the purposes for which they are processed. The second principle which is called purpose limitation, at para 1. b states that personal data must be collected for specified, explicit, and legitimate purposes. In this case, the purpose would require one of the legal grounds for processing personal data, as mentioned in Article 6 GDPR - Lawfulness of processing. Consent wouldn’t work because it wouldn’t be freely given, according to European Data Protection Board’s Guidelines 05/2020 on consent under Regulation 2016/679. If the company would like to use Legitimate Interest for this processing, the legitimate interest must pass a balancing test between the company’s interests and the interests or fundamental rights and freedoms of the employees which require protection of personal data. So my recommendation would be to perform a Data Protection Impact Assessment for this processing. Part of our EU GDPR Premium Documentation Toolkit, we have a Data Protection Impact Assessment methodology that can be used.

 Please consult these links as well:

• Article 5 GDPR – Principles: https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/
• Article 6 GDPR - Lawfulness of processing: https://advisera.com/eugdpracademy/gdpr/lawfulness-of-processing/
• Article 25 GDPR - Data protection by design and by default: https://advisera.com/eugdpracademy/gdpr/data-protection-by-design-and-by-default/
• Article 35 GDPR - Data protection impact assessment: https://advisera.com/eugdpracademy/gdpr/data-protection-impact-assessment/
• 5 phases of the EU GDPR Data Protection Impact Assessment: https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/
• EU GDPR Premium Documentation Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-premium-documentation-toolkit/

Asset management

ISO 27001 does not prescribe any level of granularity, so you can organize the assets the way you understand that will better fulfill your needs. Considering your example, you can split assets into categories that require different levels of protection and a different number of applicable controls.

For example, you can use categories related to the laptop's purpose (e.g., "general laptops" and "development laptops").

This article will provide you a further explanation about asset register:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

This material can also be useful:
- Asset List for ISO 27001 Risk Assessment https://info.advisera.com/27001academy/free-download/asset-list-for-iso-27001-risk-assessment/

Non-conformities

1. For the Clause 4.2, our external auditor requires us to have a document containing all needs and expectation of interested parties.My understanding is that there’s no standard requirement to have this information gathered in one document. We have evidence of those requirements recorded in various other documents.Would you consider this a major nonconformity?

Answer: The lack of this single document would not be considered a nonconformity for ISO 27001, because clause 4.2 of this standard does not require the needs and expectations of interested parties to be documented.

2. For the Clause 4.4., our external auditor requires us to have a documented ISMS Manual that includes references and implementation details for all Clauses 4 to 10.
My understanding is that there’s no standard requirement for an ISMS Manual document.

Would you consider this a major nonconformity?

Answer:  The lack of an ISMS manual would not be considered a nonconformity for ISO 27001, because clause 4.4 of this standard does not require such a manual to be documented.

Documents and records mandatory to fulfill clauses from the main sections of the standard (sections 4 to 10) are:  
- Scope of the ISMS (clause 4.3)
- Information security policy and objectives (clauses 5.2 and 6.2)
- Risk assessment and risk treatment methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (clause 8.2)
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)

For further information, see:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

Preparing risk analysis with regard to impartiality and confidentiality

Performing a risk analysis on any activity involves identifying the risk, evaluating the level of risk and impact and then applying suitable measures to control the risk to an acceptable level. To identify potential risks to impartiality and confidentiality laboratory needs to look at the requirements and what is currently in place in the organisation. The requirements will come from ISO 17025 clauses 4.1 and 4.2, your parent organisation and any regulations in your country, especially for confidentiality.

For more information on impartiality and confidentiality, have a look at my previous replies on the topic:
Assuring impartiality and confidentiality at https://community.advisera.com/topic/assuring-impartiality-and-confidentiality/
Impartiality  https://community.advisera.com/topic/impartiality.

Mapping of requirements categories to ISO 27001 Compliance controls (Conformio)

Since you stated that this is a customer requirement, the option “Specifying mandatory safeguards” would be a better option than “Operation of information technology”.

Regarding compliance, you can select the option “Internal audit”, since one of the purposes of an internal audit is to ensure compliance with specified requirements.

Control A.8.2 Information Classification

 Provided management has accepted the risks that would require implementation of control A.8.2.1 Classification of information, and there is no legal requirement (e.g., law, regulation, or contract) demanding this control to be implemented, this fulfills the standard’s requirements and is ok for certification purposes (the fact that the auditor “likes” this or not is irrelevant).

In case you decide to implement the control, the way you propose is acceptable for certification purposes (i.e., a single classification for all information and a reclassification process for information to be sent to external parties).

For further information, see:

• Implementation of security controls https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
• Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

Consultation to ISO 27001 documentation

1. Within the points that are detailed in the ISO 27001 templates, there is no point related to sanctions, it is possible to place this point within the corresponding documents, to detail which are the (labor) reprimands that would be obtained by the Failure to comply with any of the guidelines of X Policy.

A reference to the disciplinary process is included in the Incident Management Procedure, section 3.6 – Disciplinary actions. This folder is located in folder 08 Annex A Security Controls >> A.16 Information Security Incident Management.

As a suggestion you may also consider including reference to sanctions in the following documents:

• Confidentiality Statement, included in folder 08 Annex A Security Controls >> A.7 Human Resource Security
• Statement of Acceptance of ISMS Documents, included in folder 08 Annex A Security Controls >> A.7 Human Resource Security
• Employment contract, as defined by the organization's HR department  

For further information, see:
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/

2. I have another query: Within the Business Impact Questionnaire, this must be done for each activity that is managed in the organization or several activities can be placed in a single questionnaire. If the answer is YES, please indicate how to place this. 

Our recommendation is to perform BIA for each department, so you can use a single BIA questionnaire for activities from the same department

For example, you may use a single questionnaire to cover activities from the HR department (e.g., payroll, benefits, training, etc.), but it is not recommended to use one questionnaire to cover HR and SW development activities.

You can use the Activity description field in the BIA questionnaire form to specify which activities are included in the questionnaire.

For further information, see:

• How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/