Search results

Framework question

Please note that ISO 27001 does not require clauses 4.1 (organizational context) and 4.2 (needs and expectations of interested parties) to be documented. This information is used to develop the ISMS scope and the Information Security Policy. You only need to explain how the context and interested parties influenced your scope and Information Security Policy.

Clauses 5.1 and 5.2 are covered by the Information Security Policy, located in folder 04 General Polices

Clause 5.3 is covered by all policies and procedures in the toolkit when job titles are required to be defined for specific activities.

For clause 6.2, you can use the Information Security Policy template (located in folder 04 General Policies), and Statement of Applicability template (located in folder 06 Applicability of Controls) to define the objectives for your ISMS and the Measurement Report template (located in folder 11 Management Review) to summarize the measurement methods, the frequency of measurement, and the results. 

For clauses 7.1 and 9.1 you can use the Risk Treatment Plan to evidence the provision of resources and method for performance evaluation. Clause 9.1 is also covered in the Measurement document.

The main documents in the toolkit that cover clause 7.4 are:

the Information Security Policy, located in folder 4 General Policies
the Training and Awareness plan, located in folder 9 Training and Awareness
the Incident Management Procedure, located in folder 8 Annex A Security Controls >> A.16 Information Security Incident Management
the Disaster Recovery Plan, located in folder 8 Annex A Security Controls >> A.17 Business Continuity
Clause 9.3 is covered by the Management Review Minutes, which can be found in folder (located in folder 11 Management Review)

Regarding clause 10.2, continual improvement can be verified in all clauses from 4 to 10. Evidence for this clause can be shown by means of records related to changes in the environment, results of monitoring and measurement, or decision from management review, since these are the main sources of the need to improve processes, procedures, and controls.

In your toolkit, there is a List of documents files that can show you which clauses are covered by each document.

These materials will provide you a further explanation about evidencing requirements:
- How to demonstrate resource provision in ISO 27001 https://advisera.com/27001academy/blog/2017/04/10/how-to-demonstrate-resource-provision-in-iso-27001/
- Clause-by-clause explanation of ISO 27001 https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001

ISO 9001:2015 specific clauses

1. Customers related process – check clauses 8.2 and 9.1.2
 
2. Branding and Public relations – nothing specific about branding or PR, but check clause 7.4
 
3. Business development – check clauses 4.1, 4.2, 5.2 and 6.2

You can find more information below:

• Handling customer satisfaction with code of conduct and complaints procedure - https://advisera.com/9001academy/blog/2014/07/15/handling-customer-satisfaction-code-conduct-complaints-procedure/
• How the ISO 9001:2015 standard can help improve relationships with your customers - https://advisera.com/9001academy/blog/2016/02/23/how-the-iso-90012015-standard-can-help-improve-relationships-with-your-customers/
• Main elements of handling customer satisfaction in ISO 9001 - https://advisera.com/9001academy/blog/2014/07/01/main-elements-handling-customer-satisfaction-iso-9001/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

How to record external issues (not legal or contractual) in Conformio

First it is important to note that the Register of Requirements module is intended only for listing regulatory and contractual requirements, i.e., laws, regulations, and agreements. Further, ISO 27001 does not require internal or external issues to be documented.

Considering that, in case the requirement refers to an external/internal issue, it does not need to be documented, and you can record it in the SoA as a management decision for each related control (e.g., “control applicable due to management decision to ensure availability requirements”).

In case the requirement needs to be documented, because it refers to laws, regulations or contracts, then you can record it in the ‘Register of requirements’ module.

When the requirement refers to parts of the organization which are outside of the scope, you can define it within the Register of Requirements as a requirement of the third party since this part of the organization is not within the ISMS scope.

Please note that ‘Contractual Agreement’ can vary from fully formal agreements that can be legally enforced, to lesser formal agreements established internally through memos or emails.

Approving Residual Risk in Conformio

You need to approve residual risk so you can proceed to the next step of the implementation process.

After this approval, you will define the risk treatment plan, where you will define the dates for the implementation of the controls not yet in place.

GDPR compliance for B2B software applications

At Advisera we have a large set of resources that can help you drive your GDPR compliance project. B2B Companies need to demonstrate compliance to GDPR when they process data of people in the EU or when they monitor their behaviour. You can start with our article “9 steps for implementing GDPR” (link below), followed by “A summary of 10 key GDPR requirements” and “Understanding 6 key GDPR principles”. I would also recommend to consult the “List of mandatory documents required by EU GDPR”, link below. These documents can be found in our EU GDPR Toolkit that can be purchased on our website. This Toolkit contains a step-by-step approach on driving a GDPR-compliance project, providing also a full set of templates needed for GDPR compliance.

Please also consult these links:

• 9 steps for implementing GDPR: https://advisera.com/articles/9-steps-for-implementing-gdpr/
• A summary of 10 key GDPR requirements: https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/
• Understanding 6 key GDPR principles: https://advisera.com/eugdpracademy/knowledgebase/understanding-6-key-gdpr-principles/
• List of mandatory documents required by EU GDPR: https://advisera.com/articles/list-of-mandatory-documents-required-by-eu-gdpr/
• EU GDPR Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/

Risk assessment question

First of all, sorry for this confusion.

Third-party is any entity that is not under the direct control of an organization. Examples of the third parties are: customers, suppliers, visitors, contractors, consultants, etc.

A cleaner that does not belong to the organization’s staff can be considered a third party.

Establishment of the scope of the ISMS ISO 27001:2013

First is important to note that an ISMS scope can be defined in terms of processes, location, or information to be protected.

Considering that, and your stated scenario, you should define your ISMS scope either in terms of processes (development process, sales process, account process, etc.) or information to be protected (e.g., customer information, financial information, etc.).

By the way, included with your toolkit you have access to a video tutorial that can help you define your ISMS scope. This video contains examples.

For further information, see:
- Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

Management of change

Requirements for change management in an ISO 22301 BCMS can be found in the Business Continuity Policy template, section 3.8 – Changes in the BCMS, located in folder 03 Business Continuity Policy.

ISO 22301 does not prescribe a change management procedure to be written, but in case you decide you need one, please take a look at this Change Management Policy template for ISO 27001. Even though it is an ISO 27001 document, it can be adapted to be used with ISO 22301:

- https://advisera.com/27001academy/documentation/change-management-policy/ 

For further information, see:
- How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

Risk Register question

Since you are considering the weak password vulnerability to be related to people's behavior, then it makes sense to consider it for Human-related assets in this case, but please note that you can also have situations where this vulnerability can also be defined for IT equipment.

For example, some equipment only allows pin numbers as passwords, or it is not possible to enforce password rules o them, then in this case you can also define weak passwords as a vulnerability for IT equipment. You can use only one of these two vulnerabilities, or you can use both if they are all applicable.