Search results

Minimum standards required for SME

If there is no customer-specific requirement, the IATF 16949:2016 standard expects to have a minimum ISO 9001:2015 certificate. 

DR/BCP career

Hi. am looking for the most economical way to introduce standards that allow SME's to play an active role in  the automotive sector. The barriers to entry are high and together with ISO and other standard requirements, it puts it out of reach for the average SME to gain a foot in the door at even 1st and 2nd levels. Please advise. 

Question on Stakeholder Requirements for ISMS ISO 27001:2013

1 - In the survey of Stakeholders for my ISMS, in what scenario may some suppliers have requirements that must be considered for the ISMS?

Are requirements that they must meet for my organization regarding Information security or are their requirements that my company must meet with them in aspects of Information security?

Currently my providers are:

Microsoft (Azure + Office 365)

Amazon (cloud services)

Google (Corporate email)

Zoom (Videoconference)

Spamexperts (SMTP Relay)

Turbo SMTP (SMTP Relay)

Sophos (Antivirus licenses)

A Provider of the data center of my private cloud

An Internet access Provider in my physical Office.

A Software Development Provider.

A Provider of maintenance and support of User equipment

A maintenance and support provider for my virtual servers

A Provider that provides information security consulting services

With Microsoft, Google, Amazon, Zoom, Sophos, a contract is not managed, I simply buy and pay for the service online.

Please note that both situations can exist, i.e., there can be requirements set by you that the supplier needs to meet, and requirements set by the supplier that you need to meet (this is especially true when working with cloud services).

2 - Could you give me some examples of possible requirements these providers have regarding the ISMS that I want to implement?

A cloud provider can define a requirement that only a specific role in your organization is authorized to approve change requests in the infrastructure provided to you (e.g., only the IT Manager can approve such change requests.

Another example is that some cloud services providers require access control responsibilities to be shared between the provider and the organization (for example, the provider has responsibilities for setting systems parameters, while the organization has responsibilities for users’ access management). 

3 - What considerations should I take into account regarding these suppliers in my ISMS?

To ensure proper security regarding suppliers, you need to consider the result of your risk assessment and applicable legal requirements you need to fulfill (for example, compliance with HIPAA and GDPR demands that security controls are also implemented by suppliers and their supply chains).

For further information, see:

•  6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

ISO Control 15.2.2 Extended Support Request

Since control A.15.2.2 Managing changes to supplier services does not require a documented procedure, the specifics for evidence you may consider are:

• emails exchanged during contract negotiations questioning third parties about relationship changes, or reviewed assessments related to such changes
• the history of change requests records
• communications to schedule teams about changes in exchanged data
• history of assessment review

ISO 27001 Clause 9.2

ISO 27001 does not prescribe how to name the function which performs internal audit, only that requirements for internal audit are fulfilled.

So, if you can comply with requirements from clause 9.2, then you can perform the internal audit job for ISO 27001. The requirements are:
- audits must be performed at planned intervals
- there must be an audit programme, defining frequency, methods, responsibilities, planning requirements and reporting
- there must be defined audit criteria and audit scope for each audit
- auditors must not have conflict of interest with the audited scope (e.g., auditors cannot audit their own work)
- auditors must have experience with performing audit and have knowledge of ISO 27001
- audit results must be recorded and communicated to relevant management

For further information, see:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- ISO Internal Audit: A Plain English Guide https://advisera.com/books/iso-internal-audit-plain-english-guide/
- ISO 27001:2013 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

IATF Internal Auditor Certificate Validity (Expiry Date)

İşin gerçeği sertifika için geçerlilik tarihi dayanağının ne olduğuna emin değilim.

Normalde değişiklik eğtimleri tamamlanmış ise, iç denetçi sertifikasının güncellenmesine gerek yok. 

Sertifikayı veren kuruluşa bir sorsanız iyi olur,  neden böyle bir tarih koymuşlar acaba, dayanakları nedir?

Framework question

Please note that ISO 27001 does not require clauses 4.1 (organizational context) and 4.2 (needs and expectations of interested parties) to be documented. This information is used to develop the ISMS scope and the Information Security Policy. You only need to explain how the context and interested parties influenced your scope and Information Security Policy.

Clauses 5.1 and 5.2 are covered by the Information Security Policy, located in folder 04 General Polices

Clause 5.3 is covered by all policies and procedures in the toolkit when job titles are required to be defined for specific activities.

For clause 6.2, you can use the Information Security Policy template (located in folder 04 General Policies), and Statement of Applicability template (located in folder 06 Applicability of Controls) to define the objectives for your ISMS and the Measurement Report template (located in folder 11 Management Review) to summarize the measurement methods, the frequency of measurement, and the results. 

For clauses 7.1 and 9.1 you can use the Risk Treatment Plan to evidence the provision of resources and method for performance evaluation. Clause 9.1 is also covered in the Measurement document.

The main documents in the toolkit that cover clause 7.4 are:

the Information Security Policy, located in folder 4 General Policies
the Training and Awareness plan, located in folder 9 Training and Awareness
the Incident Management Procedure, located in folder 8 Annex A Security Controls >> A.16 Information Security Incident Management
the Disaster Recovery Plan, located in folder 8 Annex A Security Controls >> A.17 Business Continuity
Clause 9.3 is covered by the Management Review Minutes, which can be found in folder (located in folder 11 Management Review)

Regarding clause 10.2, continual improvement can be verified in all clauses from 4 to 10. Evidence for this clause can be shown by means of records related to changes in the environment, results of monitoring and measurement, or decision from management review, since these are the main sources of the need to improve processes, procedures, and controls.

In your toolkit, there is a List of documents files that can show you which clauses are covered by each document.

These materials will provide you a further explanation about evidencing requirements:
- How to demonstrate resource provision in ISO 27001 https://advisera.com/27001academy/blog/2017/04/10/how-to-demonstrate-resource-provision-in-iso-27001/
- Clause-by-clause explanation of ISO 27001 https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001

ISO 9001:2015 specific clauses

1. Customers related process – check clauses 8.2 and 9.1.2
 
2. Branding and Public relations – nothing specific about branding or PR, but check clause 7.4
 
3. Business development – check clauses 4.1, 4.2, 5.2 and 6.2

You can find more information below:

• Handling customer satisfaction with code of conduct and complaints procedure - https://advisera.com/9001academy/blog/2014/07/15/handling-customer-satisfaction-code-conduct-complaints-procedure/
• How the ISO 9001:2015 standard can help improve relationships with your customers - https://advisera.com/9001academy/blog/2016/02/23/how-the-iso-90012015-standard-can-help-improve-relationships-with-your-customers/
• Main elements of handling customer satisfaction in ISO 9001 - https://advisera.com/9001academy/blog/2014/07/01/main-elements-handling-customer-satisfaction-iso-9001/
• Free online training ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/
   

How to record external issues (not legal or contractual) in Conformio

First it is important to note that the Register of Requirements module is intended only for listing regulatory and contractual requirements, i.e., laws, regulations, and agreements. Further, ISO 27001 does not require internal or external issues to be documented.

Considering that, in case the requirement refers to an external/internal issue, it does not need to be documented, and you can record it in the SoA as a management decision for each related control (e.g., “control applicable due to management decision to ensure availability requirements”).

In case the requirement needs to be documented, because it refers to laws, regulations or contracts, then you can record it in the ‘Register of requirements’ module.

When the requirement refers to parts of the organization which are outside of the scope, you can define it within the Register of Requirements as a requirement of the third party since this part of the organization is not within the ISMS scope.

Please note that ‘Contractual Agreement’ can vary from fully formal agreements that can be legally enforced, to lesser formal agreements established internally through memos or emails.