Search results

Preparing risk analysis with regard to impartiality and confidentiality

Performing a risk analysis on any activity involves identifying the risk, evaluating the level of risk and impact and then applying suitable measures to control the risk to an acceptable level. To identify potential risks to impartiality and confidentiality laboratory needs to look at the requirements and what is currently in place in the organisation. The requirements will come from ISO 17025 clauses 4.1 and 4.2, your parent organisation and any regulations in your country, especially for confidentiality.

For more information on impartiality and confidentiality, have a look at my previous replies on the topic:
Assuring impartiality and confidentiality at https://community.advisera.com/topic/assuring-impartiality-and-confidentiality/
Impartiality  https://community.advisera.com/topic/impartiality.

Mapping of requirements categories to ISO 27001 Compliance controls (Conformio)

Since you stated that this is a customer requirement, the option “Specifying mandatory safeguards” would be a better option than “Operation of information technology”.

Regarding compliance, you can select the option “Internal audit”, since one of the purposes of an internal audit is to ensure compliance with specified requirements.

Control A.8.2 Information Classification

 Provided management has accepted the risks that would require implementation of control A.8.2.1 Classification of information, and there is no legal requirement (e.g., law, regulation, or contract) demanding this control to be implemented, this fulfills the standard’s requirements and is ok for certification purposes (the fact that the auditor “likes” this or not is irrelevant).

In case you decide to implement the control, the way you propose is acceptable for certification purposes (i.e., a single classification for all information and a reclassification process for information to be sent to external parties).

For further information, see:

• Implementation of security controls https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
• Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

Consultation to ISO 27001 documentation

1. Within the points that are detailed in the ISO 27001 templates, there is no point related to sanctions, it is possible to place this point within the corresponding documents, to detail which are the (labor) reprimands that would be obtained by the Failure to comply with any of the guidelines of X Policy.

A reference to the disciplinary process is included in the Incident Management Procedure, section 3.6 – Disciplinary actions. This folder is located in folder 08 Annex A Security Controls >> A.16 Information Security Incident Management.

As a suggestion you may also consider including reference to sanctions in the following documents:

• Confidentiality Statement, included in folder 08 Annex A Security Controls >> A.7 Human Resource Security
• Statement of Acceptance of ISMS Documents, included in folder 08 Annex A Security Controls >> A.7 Human Resource Security
• Employment contract, as defined by the organization's HR department  

For further information, see:
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/

2. I have another query: Within the Business Impact Questionnaire, this must be done for each activity that is managed in the organization or several activities can be placed in a single questionnaire. If the answer is YES, please indicate how to place this. 

Our recommendation is to perform BIA for each department, so you can use a single BIA questionnaire for activities from the same department

For example, you may use a single questionnaire to cover activities from the HR department (e.g., payroll, benefits, training, etc.), but it is not recommended to use one questionnaire to cover HR and SW development activities.

You can use the Activity description field in the BIA questionnaire form to specify which activities are included in the questionnaire.

For further information, see:

• How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

New EU MDR - Technical File new document format

The most important point is to define which of the suppliers are critical suppliers because with them you need to have a quality agreement. This quality agreement must cover: mutual responsibilities, how the manufacturer will control the supplier, how it will behave in case of a complaint, and the critical supplier must agree to any audits by the manufacturer's notifying authority (if the auditor considers that the manufacturer does not have sufficient control over the supplier).  

Another important is for the suppliers of outsourced processes. With those suppliers, there is also the necessity of the quality agreement, but this quality agreement must, in addition to the above, also include the supplier's consent to the statutory audit of the manufacturer's notifying authority, but also to unannounced audits.   

In ISO 13485&MDR Documentation toolkit, we have quality agreements for both types of suppliers, and on this link, you can find the preview:

• Quality Agreement for Subcontractor https://advisera.com/13485academy/documentation/quality-agreement-for-subcontractor/
• Quality Agreement for Critical Supplier https://advisera.com/13485academy/documentation/quality-agreement-for-critical-supplier/ 

• Mapping of requirements categories to ISO 27001 Human Resource controls (Conformio)

  This requirement for a background check can be linked to “Specifying mandatory safeguards” because it requires a specific security practice to be implemented.

• Question on Creating a Business Case for ISMS ISO 27001:2013

  1. Is the creation of an ISO 27001 ISMS Implementation Business Case document mandatory?

  ISO 27001 does not require the development of a business case for ISMS implementation, although the elaboration of such material can be very useful to help you to identify business objectives related to information security and buy in the top management support for this project, and to define top-level objectives for the ISMS (which are mandatory for the standard).

  These articles will provide you with a further explanation about getting top management support:

  • How to gain employee buy-in when implementing cybersecurity according to ISO 27001 https://advisera.com/27001academy/blog/2017/07/03/how-to-gain-employee-buy-in-when-implementing-cybersecurity-according-to-iso-27001/
  • Top management perspective of information security implementation https://advisera.com/27001academy/blog/2012/12/04/top-management-perspective-of-information-security-implementation/

  These materials will also help you with top management support:

  • Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
  • Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

  2. What components should the business case contain?

  Basically. you need to cover why an ISO 27001 ISMS is needed and what benefits the organization can achieve with its implementation.

  Generally speaking, an ISO 27001 business case would cover these four benefits: assured compliance, enhanced marketing edge, decreased expenses, and improved organizational structure. You can see more detailed information in this article: Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/four-key-benefits-of-iso-27001-implementation/.

  In our free materials, you can find these two templates that present a general framework to organize the information needed to present a business case:

  • Project proposal for ISO 27001 implementation https://info.advisera.com/27001academy/free-download/project-proposal-for-iso-27001-implementation-powerpoint
  • Project proposal for ISO 27001 / ISO 22301 implementation https://info.advisera.com/27001academy/free-download/project-proposal-for-iso-27001-iso-22301-implementation-msword

  3. When is the Business Case document created? before starting the ISMS planning phase? after the gap analysis, after the risk analysis, etc.?

  Generally, the business case is developed to get authorization for starting an ISMS project, i.e., even before the planning phase.

  4. As in the initial phase of an ISO 27001 ISMS implementation project, the cost and/or the investments required for the implementation of the controls for the treatment of risks are not yet known, how is the financial budget of an ISO 27001 ISMS project to add it to the Business Case?

  Since the budget for controls implementation is not yet known at the beginning of the project, in the business case you need to state this issue and that after the risk assessment and treatment process is concluded financial information about the controls can be presented.

  
  Please note that ISO 27001 does not require all controls to be implemented, and that business context, together with risks and legal requirements are inputs for deciding which controls to implement, so you can adjust your implementation plan according to the available budget and acceptable risks.

  This article will provide you with further explanation:

  • Cost of the implementation https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/#costs

• More questions on Additions to Conformio

  First is important to note that setting multiple internal audits to cover smaller parts of the ISMS scope with each one is worthy only for larger companies. For smaller ones, the most efficient approach is to perform a single audit.

  Regarding the identification of risks in the Risk Treatment document, besides the risks from its own unit it should consider at least the risks from other units that refers to assets the business unit is responsible for.

  For example, if a HR unit has a risk related to an IT asset, then the IT unit should read this risk.