Search results

how close treatments

You need to gather information to evidence that actions taken to treat the risk were performed according to the decision made, and that expected results were achieved.

For example, in case you have a data loss risk and the decision is to treat the risk by including that data in a backup routine, then you need to evidence the backup schedule covering the related data, and the results of performed backup to show that the data as indeed backed up.

This article will provide you with further explanation about risk treatment:

• Risk treatment https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

Internal audit of management systems and GDPR

In general this is not a breach of GDPR because there are no significant risks to the freedoms and rights of the data subjects, but you need to take a few things into consideration to make sure that the processing is fully compliant with the GDPR requirements. Since the name and position of employees are personal data per article 4 GDPR – Definitions, listing these categories of personal data in different reports and attachments is considered to be the processing of personal data. Whenever you are assessing whether the processing of personal data is GDPR-compliant, you must make sure that the processing is necessary (and the same objective cannot be obtained without processing personal data) and that it respects all GDPR principles described in Article 5 GDPR - Principles relating to the processing of personal data:

• Lawfulness, fairness, and transparency (employees understand that their data is published in these reports).
• Purpose limitation (there is a clear scope of processing).
• Data minimization (only data necessary for the purpose is being processed).
• Accuracy.
• Storage limitation (define clear retention timelines after which the data should be anonymized).
• Security
   

The legal ground for this processing could be the legitimate interest of the organization to create meaningful reports that can be used internally and that allows other employees to contact people who worked for these reports/audits. In this case, you should also perform a Legitimate Interest Assessment and allow employees to exercise their right to objection, according to article 21 GDPR – Right to object.

Please also consult these links:

• Article 4 GDPR – Definitions: https://advisera.com/gdpr/definitions/
• Article 5 GDPR – Principles relating to processing of personal data: https://advisera.com/gdpr/principles-relating-to-processing-of-personal-data/
• Article 21 GDPR – Right to object: https://advisera.com/eugdpracademy/gdpr/right-to-object/
• Understanding 6 key GDPR principles: https://advisera.com/eugdpracademy/knowledgebase/understanding-6-key-gdpr-principles/
• A summary of 10 key GDPR requirements: https://advisera.com/eugdpracademy/knowledgebase/a-summary-of-10-key-gdpr-requirements/

A.7.9 Clause

Control A.7.9 - Security of assets off-premises, refers to practices such as:

• protecting assets when not attended in public or off-premises insecure areas (e.g., hotel lobbies)
• keep track of users to which assets are transferred when they are off-premises
• ensure proper authorization is granted before assets are taken off-premises  

Control A.7.9 is the new identification of control A.11.2.6, and for further information, see:

• How to implement equipment physical protection according to ISO 27001 A.11.2 https://advisera.com/27001academy/blog/2016/04/26/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-2/

Non conformities - entering corrective actions

Through the Nonconformity Register, you need first to open a Nonconformity.

Only after the nonconformity is open is that you can start assigning tasks and defining deadlines.

For further information, see:

• Nonconformities and Corrective Actions Register https://advisera.com/support/knowledgebase/nonconformities-and-corrective-actions-register/

New implementation: ISO 27001:2013 + ISO 27002:2022

First of all, sorry for this confusion.

Regarding your justification, the best course of action is to ask your certification body if it is acceptable to it because you are talking about using a 2022 set of controls for an ISO 27001:2013 certification (in theory this is acceptable, but your certification body will have the final decision).

Our previous answer took into consideration you stated that you are finishing section 9, and unless it is imperative you implement the new controls before March 2023 (e.g., there is a legal requirement, or it will bring you a greater competitive advantage), a smoother transition would be more recommendable, and it is possible.

Conformio question

ISO 27001 does not prescribe how to define assets level, so you can adopt the levels you understand that will better fulfill your needs.

For example, you should consider separate assets when they require different levels of protection and a different number of applicable controls (e.g., Windows separate from Linux and from Mac).

In case they share similar risks or controls you can adopt a single category (e.g., operating systems).

This article will provide you with further explanation about asset register:
- Asset management according to ISO 27001: How to handle an asset register/asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

Toolkit questions

1 - First one: why the implementation tool kit did not contain the folder for A5 and folder for A18 in the folder 08 for annex a

Answer: Please note that there is no need for a folder A.5 in the toolkit because the policies needed to fulfill the controls from section A.5 from ISO 27001 Annex A are included in all other folders that make part of the folder 08 Annex A.

Regarding documents that cover controls from section A.18, they can be found here:
- documents in the toolkit in folder "02 Procedure for identification of requirements” ("Procedure for Identification of Requirements" and "Appendix – List of Legal, Regulatory, Contractual and Other Requirements")
- control A.18.1.2 is included in the document IT Security Policy (you'll find it in the toolkit in folder 08 Annex A security controls - A.8 Asset management) in the section "3.15. Copyright".

Included in the toolkit you bought, you'll find a document called “List of Documents” that explains which control/clause is covered by which document, and which documents are mandatory.

2 - Second question:  while I browse your website, I found the document named checklist of ISO 27001 mandatory documentation I confused AND I have a question regarding this document regarding the documentation I SHOULD deliver to the certification auditor My question is do I have to submit this document to the certification auditor ?

Answer: I’m assuming you are referring to the whitepaper Checklist of mandatory documentation required by ISO 27001:2013.

Considering that, there is no need to submit this Checklist of ISO 27001 mandatory documentation documents, the documents included in the toolkit are all you need to present during a certification audit.  

For further information, see:
- Checklist of Mandatory Documentation Required by ISO 27001 https://info.advisera.com/27001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-27001 

3 - Third question: what is the difference between this document and the implementation toolkit, Which contain folders from 00 to 12

Answer: The whitepaper only provides a brief explanation about the documents included in the toolkit, while the toolkit provides templates for real policies and procedures.

Security Management System

Please note that included with the toolkit you bought you have access to video tutorials that can help you with the risk assessment and risk treatment steps. These videos show you some real examples on how to combine assets, threats, and vulnerabilities.

For further information about the risk management process, see:
- ISO 27001 Risk Assessment, Treatment, & Management: The Complete Guide https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/

These materials will also help you regarding risk management: 
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand]  https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/

Assets management

I’m assuming that by management of assets you mean the process to of developing, operating, maintaining, upgrading, and disposing of assets in the most cost-effective manner. 

Considering that, please note that according to ISO 27001 it is not mandatory to document an asset management procedure.

Only rules applicable to users regarding the use of assets need to be documented, when control A.8.1.3 - Acceptable use of assets - is stated as applicable in the Statement of Applicability. The template which covers control A.8.1.3 is the IT Security Policy, which can be found in the folder 08 Annex A Security Controls >> A.8 Asset Management

To see an example of an asset management process according to ISO 20000, which is not mandatory for ISO 27001, please see:
- Asset Management Process (ISO 20000) https://advisera.com/20000academy/documentation/asset-management-process/

For further information, see:
- Asset management according to ISO 27001: How to handle an asset register / asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

ISO 17025 lab certification

There is no specific period of time that is required; however the laboratory must have sufficient data and information available for assessment. This is needed to provide evidence of effective implementation, monitoring, and improvement. It will therefore depend on how much management, testing or calibration data is available as evidence, say after three months. This is typical period for most laboratories.

You need to have monitored all the activities that are inputs for management review and completed at least one management review. This need not be on a fully implemented system for all activities, for example you may not yet have enough customer feedback. What is important is that you would have a process in place which is being followed and that actions are being taken to provide evidence.

On the technical side, participation in external proficiency testing / interlaboratory comparison is often the activity that delays the process. You need evidence of participating in at least one round for each test you are being accredited for and you have to have evaluated the laboratory’s performance and taken corrective action if required. Another examples are that there must be sufficient data on maintenance of equipment, and trends for method quality control.

For more information have a look at the available Free webinar – What are the steps in the ISO 17025 accreditation process? at https://advisera.com/17025academy/webinar/what-are-the-steps-in-the-iso-17025-accreditation-process-free-webinar