Search results

CE Marking

1 - Bewtween the end of June and when they get the renewal, can I sell the products I hold that were manufactured under a valid CE, even though they will be out of date?

2 - If I purchase new products that have been produced without a valid CE, they will not be compliant will they?

Inquiry about the following ISO27001 controls

1. Physical office security for site 1:

Given the scenario above, is it possible to treat the site 1 office as out-of-scope? The existing security controls of the office does not fully conform with the standard and our personnel cannot make major change in the office security since they are only sitting with our Parent company’s office. In terms of risk associated with the physical security, we assess that it is minimal since most of the time, our personnel are working remotely (80% of the time) anyway. The security will be enhanced on the personnel itself (awareness), their system accesses (policy, access rights and reviews, the likes), and in their user laptops (endpoint security such as anti-malware, DLP agent).

If the site 1 office does not contain highly sensitive information, and if the people from this site have only restricted access to offices within the scope, then you can exclude office 1 from the scope.

For further information, see:

• Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/

2. In site 2, our HR, Recruitment, and IT (laptop, user peripherals, purchasing of these equipment) service are provided by our Parent company (shared among some of its subsidiary companies). Are they still considered as supplier of the services and will be required by the standard to comply with the applicable 3rd party controls (NDA, contracts, etc.)? We do not have such contract established with our parent company. The personnel of the aforementioned teams only access “internal” classified data such as employee info, payroll, and the likes

In case the parent company acts as a service supplier accessing information your ISMS needs to protect (i.e., information included in the ISMS scope), then you need to treat this parent company as a supplier, and controls applicable to suppliers need to be applied, but please note that in this case, the agreements signed with such "suppliers" do not need to be fully formal (i.e., instead of full formal contracts you can use something like internal memos).

For further information, see:

• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

• how close treatments

  You need to gather information to evidence that actions taken to treat the risk were performed according to the decision made, and that expected results were achieved.

  For example, in case you have a data loss risk and the decision is to treat the risk by including that data in a backup routine, then you need to evidence the backup schedule covering the related data, and the results of performed backup to show that the data as indeed backed up.

  This article will provide you with further explanation about risk treatment:

  • Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

• Internal audit of management systems and GDPR

  In general this is not a breach of GDPR because there are no significant risks to the freedoms and rights of the data subjects, but you need to take a few things into consideration to make sure that the processing is fully compliant with the GDPR requirements. Since the name and position of employees are personal data per article 4 GDPR – Definitions, listing these categories of personal data in different reports and attachments is considered to be the processing of personal data. Whenever you are assessing whether the processing of personal data is GDPR-compliant, you must make sure that the processing is necessary (and the same objective cannot be obtained without processing personal data) and that it respects all GDPR principles described in Article 5 GDPR - Principles relating to the processing of personal data:

  • Lawfulness, fairness, and transparency (employees understand that their data is published in these reports).
  • Purpose limitation (there is a clear scope of processing).
  • Data minimization (only data necessary for the purpose is being processed).
  • Accuracy.
  • Storage limitation (define clear retention timelines after which the data should be anonymized).
  • Security
     

  The legal ground for this processing could be the legitimate interest of the organization to create meaningful reports that can be used internally and that allows other employees to contact people who worked for these reports/audits. In this case, you should also perform a Legitimate Interest Assessment and allow employees to exercise their right to objection, according to article 21 GDPR – Right to object.

   

  Please also consult these links:

  • Article 4 GDPR – Definitions: https://advisera.com/gdpr/definitions/
  • Article 5 GDPR – Principles relating to processing of personal data: https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/
  • Article 21 GDPR – Right to object: https://advisera.com/eugdpracademy/gdpr/right-to-object/
  • Understanding 6 key GDPR principles: https://advisera.com/eugdpracademy/knowledgebase/understanding-6-key-gdpr-principles/
  • A summary of 10 key GDPR requirements: https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/

• A.7.9 Clause

  Control A.7.9 - Security of assets off-premises, refers to practices such as:

  • protecting assets when not attended in public or off-premises insecure areas (e.g., hotel lobbies)
  • keep track of users to which assets are transferred when they are off-premises
  • ensure proper authorization is granted before assets are taken off-premises  

  Control A.7.9 is the new identification of control A.11.2.6, and for further information, see:

  • How to implement equipment physical protection according to ISO 27001 A.11.2 https://advisera.com/27001academy/blog/2016/04/26/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-2/

• Non conformities - entering corrective actions

  Through the Nonconformity Register, you need first to open a Nonconformity.

  Only after the nonconformity is open is that you can start assigning tasks and defining deadlines.

  For further information, see:

  • Nonconformities and Corrective Actions Register https://advisera.com/support/knowledgebase/nonconformities-and-corrective-actions-register/

• New implementation: ISO 27001:2013 + ISO 27002:2022

  First of all, sorry for this confusion.

  Regarding your justification, the best course of action is to ask your certification body if it is acceptable to it because you are talking about using a 2022 set of controls for an ISO 27001:2013 certification (in theory this is acceptable, but your certification body will have the final decision).

  Our previous answer took into consideration you stated that you are finishing section 9, and unless it is imperative you implement the new controls before March 2023 (e.g., there is a legal requirement, or it will bring you a greater competitive advantage), a smoother transition would be more recommendable, and it is possible.

• Conformio question

  ISO 27001 does not prescribe how to define assets level, so you can adopt the levels you understand that will better fulfill your needs.

  For example, you should consider separate assets when they require different levels of protection and a different number of applicable controls (e.g., Windows separate from Linux and from Mac).

  In case they share similar risks or controls you can adopt a single category (e.g., operating systems).

  This article will provide you with further explanation about asset register:
  - Asset management according to ISO 27001: How to handle an asset register/asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

• Toolkit questions

  1 - First one: why the implementation tool kit did not contain the folder for A5 and folder for A18 in the folder 08 for annex a

  Answer: Please note that there is no need for a folder A.5 in the toolkit because the policies needed to fulfill the controls from section A.5 from ISO 27001 Annex A are included in all other folders that make part of the folder 08 Annex A.

  Regarding documents that cover controls from section A.18, they can be found here:
  - documents in the toolkit in folder "02 Procedure for identification of requirements” ("Procedure for Identification of Requirements" and "Appendix – List of Legal, Regulatory, Contractual and Other Requirements")
  - control A.18.1.2 is included in the document IT Security Policy (you'll find it in the toolkit in folder 08 Annex A security controls - A.8 Asset management) in the section "3.15. Copyright".

  Included in the toolkit you bought, you'll find a document called “List of Documents” that explains which control/clause is covered by which document, and which documents are mandatory.

  2 - Second question:  while I browse your website, I found the document named checklist of ISO 27001 mandatory documentation I confused AND I have a question regarding this document regarding the documentation I SHOULD deliver to the certification auditor My question is do I have to submit this document to the certification auditor ?

  Answer: I’m assuming you are referring to the whitepaper Checklist of mandatory documentation required by ISO 27001:2013.

  Considering that, there is no need to submit this Checklist of ISO 27001 mandatory documentation documents, the documents included in the toolkit are all you need to present during a certification audit.  

  For further information, see:
  - Checklist of Mandatory Documentation Required by ISO 27001 https://info.advisera.com/27001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-27001 

  3 - Third question: what is the difference between this document and the implementation toolkit, Which contain folders from 00 to 12

  Answer: The whitepaper only provides a brief explanation about the documents included in the toolkit, while the toolkit provides templates for real policies and procedures.

• Security Management System

  Please note that included with the toolkit you bought you have access to video tutorials that can help you with the risk assessment and risk treatment steps. These videos show you some real examples on how to combine assets, threats, and vulnerabilities.

  For further information about the risk management process, see:
  - ISO 27001 Risk Assessment, Treatment, & Management: The Complete Guide https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/

  These materials will also help you regarding risk management: 
  - The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand]  https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
  - Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/