Search results

Asset management

ISO 27001 does not prescribe any level of granularity, so you can organize the assets the way you understand that will better fulfill your needs. Considering your example, you can split assets into categories that require different levels of protection and a different number of applicable controls.

For example, you can use categories related to the laptop's purpose (e.g., "general laptops" and "development laptops").

This article will provide you a further explanation about asset register:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

This material can also be useful:
- Asset List for ISO 27001 Risk Assessment https://info.advisera.com/27001academy/free-download/asset-list-for-iso-27001-risk-assessment/

Non-conformities

1. For the Clause 4.2, our external auditor requires us to have a document containing all needs and expectation of interested parties.My understanding is that there’s no standard requirement to have this information gathered in one document. We have evidence of those requirements recorded in various other documents.Would you consider this a major nonconformity?

Answer: The lack of this single document would not be considered a nonconformity for ISO 27001, because clause 4.2 of this standard does not require the needs and expectations of interested parties to be documented.

2. For the Clause 4.4., our external auditor requires us to have a documented ISMS Manual that includes references and implementation details for all Clauses 4 to 10.
My understanding is that there’s no standard requirement for an ISMS Manual document.

Would you consider this a major nonconformity?

Answer:  The lack of an ISMS manual would not be considered a nonconformity for ISO 27001, because clause 4.4 of this standard does not require such a manual to be documented.

Documents and records mandatory to fulfill clauses from the main sections of the standard (sections 4 to 10) are:  
- Scope of the ISMS (clause 4.3)
- Information security policy and objectives (clauses 5.2 and 6.2)
- Risk assessment and risk treatment methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (clause 8.2)
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)

For further information, see:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

Preparing risk analysis with regard to impartiality and confidentiality

Performing a risk analysis on any activity involves identifying the risk, evaluating the level of risk and impact and then applying suitable measures to control the risk to an acceptable level. To identify potential risks to impartiality and confidentiality laboratory needs to look at the requirements and what is currently in place in the organisation. The requirements will come from ISO 17025 clauses 4.1 and 4.2, your parent organisation and any regulations in your country, especially for confidentiality.

For more information on impartiality and confidentiality, have a look at my previous replies on the topic:
Assuring impartiality and confidentiality at https://community.advisera.com/topic/assuring-impartiality-and-confidentiality/
Impartiality  https://community.advisera.com/topic/impartiality.

Mapping of requirements categories to ISO 27001 Compliance controls (Conformio)

Since you stated that this is a customer requirement, the option “Specifying mandatory safeguards” would be a better option than “Operation of information technology”.

Regarding compliance, you can select the option “Internal audit”, since one of the purposes of an internal audit is to ensure compliance with specified requirements.

Control A.8.2 Information Classification

 Provided management has accepted the risks that would require implementation of control A.8.2.1 Classification of information, and there is no legal requirement (e.g., law, regulation, or contract) demanding this control to be implemented, this fulfills the standard’s requirements and is ok for certification purposes (the fact that the auditor “likes” this or not is irrelevant).

In case you decide to implement the control, the way you propose is acceptable for certification purposes (i.e., a single classification for all information and a reclassification process for information to be sent to external parties).

For further information, see:

• Implementation of security controls https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
• Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

Consultation to ISO 27001 documentation

1. Within the points that are detailed in the ISO 27001 templates, there is no point related to sanctions, it is possible to place this point within the corresponding documents, to detail which are the (labor) reprimands that would be obtained by the Failure to comply with any of the guidelines of X Policy.

A reference to the disciplinary process is included in the Incident Management Procedure, section 3.6 – Disciplinary actions. This folder is located in folder 08 Annex A Security Controls >> A.16 Information Security Incident Management.

As a suggestion you may also consider including reference to sanctions in the following documents:

• Confidentiality Statement, included in folder 08 Annex A Security Controls >> A.7 Human Resource Security
• Statement of Acceptance of ISMS Documents, included in folder 08 Annex A Security Controls >> A.7 Human Resource Security
• Employment contract, as defined by the organization's HR department  

For further information, see:
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/

2. I have another query: Within the Business Impact Questionnaire, this must be done for each activity that is managed in the organization or several activities can be placed in a single questionnaire. If the answer is YES, please indicate how to place this. 

Our recommendation is to perform BIA for each department, so you can use a single BIA questionnaire for activities from the same department

For example, you may use a single questionnaire to cover activities from the HR department (e.g., payroll, benefits, training, etc.), but it is not recommended to use one questionnaire to cover HR and SW development activities.

You can use the Activity description field in the BIA questionnaire form to specify which activities are included in the questionnaire.

For further information, see:

• How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/

New EU MDR - Technical File new document format

The most important point is to define which of the suppliers are critical suppliers because with them you need to have a quality agreement. This quality agreement must cover: mutual responsibilities, how the manufacturer will control the supplier, how it will behave in case of a complaint, and the critical supplier must agree to any audits by the manufacturer's notifying authority (if the auditor considers that the manufacturer does not have sufficient control over the supplier).  

Another important is for the suppliers of outsourced processes. With those suppliers, there is also the necessity of the quality agreement, but this quality agreement must, in addition to the above, also include the supplier's consent to the statutory audit of the manufacturer's notifying authority, but also to unannounced audits.   

In ISO 13485&MDR Documentation toolkit, we have quality agreements for both types of suppliers, and on this link, you can find the preview:

• Quality Agreement for Subcontractor https://advisera.com/13485academy/documentation/quality-agreement-for-subcontractor/
• Quality Agreement for Critical Supplier https://advisera.com/13485academy/documentation/quality-agreement-for-critical-supplier/ 

• Mapping of requirements categories to ISO 27001 Human Resource controls (Conformio)

  This requirement for a background check can be linked to “Specifying mandatory safeguards” because it requires a specific security practice to be implemented.