Start a new topic and get direct answers from the Expert Advice Community.
CREATE NEW TOPIC +Search results
11269 results
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 and HiTrust
You can use ISO 27001 framework to partially support HITRUST controls implementation, maintenance, and improvement (i.e., ISO 27001 does not cover the whole HITRUST).
ISO 27001 involves the implementation of a high-level information security management system, while HITRUST involves detailed requirements and controls for the secure creation, access, storage, and exchange of sensitive and/or regulated data.
For more information, please access this link: https://hitrustalliance.net/uploads/CSFComparisonWhitpaper.pdf
If you are interested in the help of ISO 27001, maybe our templates can be interesting for you, so you can download a free version here by clicking on “DOWNLOAD FREE TOOLKIT DEMO”: https://advisera.com/27001academy/iso-27001-documentation-toolkit/
By the way, ISO 27799, which is similar to ISO 27001, is an international standard that also focuses on information security for health organizations.
These articles will provide you a further explanation about ISO 27001 applicable to health organizations:
- How ISO 27001 and ISO 27799 complement each other in health organizations https://advisera.com/27001academy/blog/2016/06/13/how-iso-27001-and-iso-27799-complement-each-other-in-health-organizations/
- Comparison of HIPAA compliance and ISO 27001 certification https://advisera.com/27001academy/blog/2021/01/27/hipaa-compliance-vs-iso-27001/ -
Nonconformity question
First, I don’t use the word “observation” because it is not defined in ISO 9000:2015.
Second, I would raise a non-conformity as being the equipment out of use and without being properly identified as such can promote inadvertent use. Something like:
Measuring equipment shall be identified in order to determine their status (ISO 9001:2015 clause 7.1.5.2b)).
When auditing the production area an equipment was found to be past due for calibration and without status identification, as such can promote inadvertent use.
During the audit a UV-VIS spectrometer was found to be past due for calibration in the production area. When questioned, the department manager said that the equipment was out of order; but there is no warning sign indicating that.
You can find more information below:- Monitoring and Measurement Equipment Control - https://advisera.com/9001academy/blog/2014/05/06/monitoring-measurement-equipment-control/
- Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
-
ISO 27001 and TISAX
While ISO 27001 and TISAX share information security as the main goal, allowing them to be compared, TISAX is more specific, adding specific security controls for connection with third parties, prototype protection, and data protection.
For further information, see:
- How ISO 27001 and TISAX are related https://advisera.com/27001academy/blog/2019/03/11/how-iso-27001-and-tisax-are-related/
-
ISO 27001 / Conformio questions
1. Can I as the Project Manager of the ISO 27001 also conduct the Internal Audit? Or should this be done by someone who is not as involved in the project implementation?
The project manager is involved in most of the activities related to the implementation of the ISO 27001, and since one requirement to be observed for an auditor is impartiality (an auditor cannot audit his own work), this person will not be able to perform the auditor role.
The best course of action would be to train an employee to perform internal auditor or hire an external auditor.
These articles will provide you with further explanation about internal audit:
- How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/
- Qualifications for an ISO 27001 Internal Auditor https://advisera.com/27001academy/blog/2015/03/30/qualifications-for-an-iso-27001-internal-auditor/
2. When should the first Management review be conducted? At the end when we have all of the documents, or while we are implementing the policies and procedures? I am asking this because there are some items that have first occurrence set as one month after the start of the project so now I am afraid that I was supposed to do this from the beginning.
ISO 27001 does not prescribe when the first management review needs to be performed, so organizations can schedule it as they see fit.
For a certification implementation project, you can consider smaller management reviews during the project, and the first official management review once the implementation is over.
For further information, see:
- Why is management review important for ISO 27001 and ISO 22301? https://advisera.com/27001academy/blog/2014/03/03/why-is-management-review-important-for-iso-27001-and-iso-22301/
-
Process vs Procedure
Thank you!
-
Addressing Annex A clauses
Please note that the toolkit you bought has all mandatory documents required by the standard and the most commonly used ones. They are all you need to address the clauses and Annex A of the standard. No additional document is required.
Included in the toolkit there is a List of documents file that will show you which clauses and controls of the standard are covered by each document.
Writing a single big document is not recommended because it will become too complex to read and maintain.
For further information, see:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
These materials will also help you regarding the implementation of ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
-
Statement of applicability A.9.1.2 (Access to networks and network services)
When a risk is similar to several assets, you can create a single asset to represent them all and associate the risk to it, as you suggested.
For example, you do not need to record an organization's notebooks as individual assets (you can add an asset called "notebook"), but if they have specific purposes with different risk levels you can use specific assets like "notebook", "development notebook", and "finance notebook". The same concept applies to IT assets.
For further information, see:
- Asset management according to ISO 27001: How to handle an asset register/asset inventory https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
-
Control of Suppliers (Contractors)
Please note that is not our policy to provide recommendations about specific solutions or technologies to manage endpoints or the environments they access, so we can advise only about rules you should consider when evaluating such items.
Considering that, rules you should consider for those laptops/computers are access control for the accessed environment, use of protected channels to access the environment (e.g., use of VPN), use of encrypted drives, antivirus and updated OS and other required software (as you suggested), and use of backup.
About fit for purpose, provided these adopted controls decrease identified relevant risks to acceptable levels, and fulfill applicable legal requirements this would be acceptable for ISO 27001 certification purposes.
For example, specific information security or privacy laws and regulations (e.g., EU GDPR, HIPAA, etc.), and security clauses in contracts with clients (e.g., contractual clauses requiring the use of specific cryptography for storage devices).
Please note that, to enforce the application of such controls, you need to have signed contracts with these contractors, where such contracts will have information security clauses related to the controls you want the contractors to follow.
For further information, see:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/