Search results

Management of change

Requirements for change management in an ISO 22301 BCMS can be found in the Business Continuity Policy template, section 3.8 – Changes in the BCMS, located in folder 03 Business Continuity Policy.

ISO 22301 does not prescribe a change management procedure to be written, but in case you decide you need one, please take a look at this Change Management Policy template for ISO 27001. Even though it is an ISO 27001 document, it can be adapted to be used with ISO 22301:

- https://advisera.com/27001academy/documentation/change-management-policy/ 

For further information, see:
- How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

Risk Register question

Since you are considering the weak password vulnerability to be related to people's behavior, then it makes sense to consider it for Human-related assets in this case, but please note that you can also have situations where this vulnerability can also be defined for IT equipment.

For example, some equipment only allows pin numbers as passwords, or it is not possible to enforce password rules o them, then in this case you can also define weak passwords as a vulnerability for IT equipment. You can use only one of these two vulnerabilities, or you can use both if they are all applicable.

CE Marking

1 - Bewtween the end of June and when they get the renewal, can I sell the products I hold that were manufactured under a valid CE, even though they will be out of date?

2 - If I purchase new products that have been produced without a valid CE, they will not be compliant will they?

Inquiry about the following ISO27001 controls

1. Physical office security for site 1:

Given the scenario above, is it possible to treat the site 1 office as out-of-scope? The existing security controls of the office does not fully conform with the standard and our personnel cannot make major change in the office security since they are only sitting with our Parent company’s office. In terms of risk associated with the physical security, we assess that it is minimal since most of the time, our personnel are working remotely (80% of the time) anyway. The security will be enhanced on the personnel itself (awareness), their system accesses (policy, access rights and reviews, the likes), and in their user laptops (endpoint security such as anti-malware, DLP agent).

If the site 1 office does not contain highly sensitive information, and if the people from this site have only restricted access to offices within the scope, then you can exclude office 1 from the scope.

For further information, see:

• Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/

2. In site 2, our HR, Recruitment, and IT (laptop, user peripherals, purchasing of these equipment) service are provided by our Parent company (shared among some of its subsidiary companies). Are they still considered as supplier of the services and will be required by the standard to comply with the applicable 3rd party controls (NDA, contracts, etc.)? We do not have such contract established with our parent company. The personnel of the aforementioned teams only access “internal” classified data such as employee info, payroll, and the likes

In case the parent company acts as a service supplier accessing information your ISMS needs to protect (i.e., information included in the ISMS scope), then you need to treat this parent company as a supplier, and controls applicable to suppliers need to be applied, but please note that in this case, the agreements signed with such "suppliers" do not need to be fully formal (i.e., instead of full formal contracts you can use something like internal memos).

For further information, see:

• 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/

• how close treatments

  You need to gather information to evidence that actions taken to treat the risk were performed according to the decision made, and that expected results were achieved.

  For example, in case you have a data loss risk and the decision is to treat the risk by including that data in a backup routine, then you need to evidence the backup schedule covering the related data, and the results of performed backup to show that the data as indeed backed up.

  This article will provide you with further explanation about risk treatment:

  • Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

• Internal audit of management systems and GDPR

  In general this is not a breach of GDPR because there are no significant risks to the freedoms and rights of the data subjects, but you need to take a few things into consideration to make sure that the processing is fully compliant with the GDPR requirements. Since the name and position of employees are personal data per article 4 GDPR – Definitions, listing these categories of personal data in different reports and attachments is considered to be the processing of personal data. Whenever you are assessing whether the processing of personal data is GDPR-compliant, you must make sure that the processing is necessary (and the same objective cannot be obtained without processing personal data) and that it respects all GDPR principles described in Article 5 GDPR - Principles relating to the processing of personal data:

  • Lawfulness, fairness, and transparency (employees understand that their data is published in these reports).
  • Purpose limitation (there is a clear scope of processing).
  • Data minimization (only data necessary for the purpose is being processed).
  • Accuracy.
  • Storage limitation (define clear retention timelines after which the data should be anonymized).
  • Security
     

  The legal ground for this processing could be the legitimate interest of the organization to create meaningful reports that can be used internally and that allows other employees to contact people who worked for these reports/audits. In this case, you should also perform a Legitimate Interest Assessment and allow employees to exercise their right to objection, according to article 21 GDPR – Right to object.

   

  Please also consult these links:

  • Article 4 GDPR – Definitions: https://advisera.com/gdpr/definitions/
  • Article 5 GDPR – Principles relating to processing of personal data: https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/
  • Article 21 GDPR – Right to object: https://advisera.com/eugdpracademy/gdpr/right-to-object/
  • Understanding 6 key GDPR principles: https://advisera.com/eugdpracademy/knowledgebase/understanding-6-key-gdpr-principles/
  • A summary of 10 key GDPR requirements: https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/

• A.7.9 Clause

  Control A.7.9 - Security of assets off-premises, refers to practices such as:

  • protecting assets when not attended in public or off-premises insecure areas (e.g., hotel lobbies)
  • keep track of users to which assets are transferred when they are off-premises
  • ensure proper authorization is granted before assets are taken off-premises  

  Control A.7.9 is the new identification of control A.11.2.6, and for further information, see:

  • How to implement equipment physical protection according to ISO 27001 A.11.2 https://advisera.com/27001academy/blog/2016/04/26/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-2/

• Non conformities - entering corrective actions

  Through the Nonconformity Register, you need first to open a Nonconformity.

  Only after the nonconformity is open is that you can start assigning tasks and defining deadlines.

  For further information, see:

  • Nonconformities and Corrective Actions Register https://advisera.com/support/knowledgebase/nonconformities-and-corrective-actions-register/

• New implementation: ISO 27001:2013 + ISO 27002:2022

  First of all, sorry for this confusion.

  Regarding your justification, the best course of action is to ask your certification body if it is acceptable to it because you are talking about using a 2022 set of controls for an ISO 27001:2013 certification (in theory this is acceptable, but your certification body will have the final decision).

  Our previous answer took into consideration you stated that you are finishing section 9, and unless it is imperative you implement the new controls before March 2023 (e.g., there is a legal requirement, or it will bring you a greater competitive advantage), a smoother transition would be more recommendable, and it is possible.

• Conformio question

  ISO 27001 does not prescribe how to define assets level, so you can adopt the levels you understand that will better fulfill your needs.

  For example, you should consider separate assets when they require different levels of protection and a different number of applicable controls (e.g., Windows separate from Linux and from Mac).

  In case they share similar risks or controls you can adopt a single category (e.g., operating systems).

  This article will provide you with further explanation about asset register:
  - Asset management according to ISO 27001: How to handle an asset register/asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/