Search results

List of legal, regulatory, contractual requirements

In this case, the person "responsible for compliance" is the information owner, i.e, the person who authorizes the information described in the agreement to be available to the employee.

For example, if the agreement covers R&D information, then access to it is authorized, for example, by the R&D department head, so this person needs to ensure that the employee already has signed the confidentiality agreement before granting access to the information.

Conformio expert question

1. How to handle legal and contractual requirements and what clauses require this in the standard?

Legal and contractual requirements are handled through the Register of Requirements module. In the Wizard tab on the screen's left side, you will find A Help & Support tab where you can access help videos that will explain how to use this module.

Legal and contractual requirements are related to standard clause 4.2 Understanding the needs and expectations of interested parties, and Annex A control A.18.1.1 Identification of applicable legislation and contractual requirements.

2. Is it required that the person who is doing the Audit needs to have training in Internal Auditing and ISO 27001?

The standard requires that a person performing work that can impact information security has proper competence, by means of experience, training, or education.

Considering that, in case this person already has previous experience on ISO 27001 and ISO 27001 internal audits (e.g., this person has already performed internal audits before), he does not necessarily need to have formal training.

For further information, see:

• How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
• Free online training ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

ISO 27001 expert question

Please note that this need for certification will depend on your business objectives and applicable legal requirements (e.g., you need to comply with a law or regulation, or a contract with a customer demands such certification).

In a general way, if your focus is on customer satisfaction, you should look for ISO 9001 certification. In case your focus is on information security, then you should look for ISO 27001 certification. Additionally, you can work with an integrated management system, covering both ISO 9001 and ISO 27001.

These articles will provide you a further explanation about ISO 9001 and ISO 27001:
- What is ISO 27001? https://advisera.com/27001academy/what-is-iso-27001/
- Four key benefits of ISO 27001 implementation https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/#benefits
- What is ISO 9001? https://advisera.com/9001academy/what-is-iso-9001/
- Using ISO 9001 for implementing ISO 27001 https://advisera.com/27001academy/blog/2010/03/08/using-iso-9001-for-implementing-iso-27001/
- Benefits of ISO 9001 implementation for small businesses https://advisera.com/9001academy/blog/2018/09/17/benefits-of-iso-9001-implementation-for-small-businesses/

HIPAA & ISO27001

Unfortunately, we do not have such a comprehensive document, but you can have information about SOC 2 and ISO 27001 overlap in this article:

• Comparison of SOC 2 and ISO 27001 certification https://advisera.com/27001academy/blog/2021/02/02/iso-27001-vs-soc-2/

With the information in the articles included in the previous answer, you will be able to have this general overview.

ISO 9001 & Hazard Analysis

ISO 9001:2015 does not reference the use of Hazard Analysis. I only consider its use mandatory if prescribed in a contract or in other compliance obligations.

You can find more information below about risks.

• How to address risks and opportunities in ISO 9001: https://advisera.com/9001academy/blog/2016/06/21/how-to-address-risks-and-opportunities-in-iso-9001/
• How to identify risk significance in ISO 9001:2015 - https://advisera.com/9001academy/blog/2019/01/14/how-to-identify-risk-significance-in-iso-90012015/
• For a free preview of an example of the Registry of Key Risks and Opportunities - https://advisera.com/9001academy/documentation/registry-of-key-risks-and-opportunities/
• Enroll for free course - ISO 9001:2015 Foundations Course - https://advisera.com/training/iso-9001-foundations-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/ (I use a lot of examples based on the risk-based approach)

BIA process

From your question I’m understanding that in your scenario you have a specific business unit responsible for information security in the organization, and that you performed a BIA for each department in the organization.

Considering that, please note that a BIA will give you information about impact on business continuity specifically for the scope where it is applied (i.e., the BIA for a department will give you information about that specific department only).

So, to have information about business continuity impact on the information security department, you need to perform a BIA on this department. The BIA in each department needs to be performed using the same methodology, i.e. the same set of rules so that the results are comparable.

These articles will provide you a further explanation about performing BIA:
- How to implement business impact analysis (BIA) according to ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-implement-business-impact-analysis-bia-according-to-iso-22301/
- Five Tips for Successful Business Impact Analysis https://advisera.com/27001academy/blog/2010/06/10/five-tips-for-successful-business-impact-analysis/

These materials will also help you regarding BIA:
- Book Becoming Resilient: The Definitive Guide to ISO 22301 Implementation https://advisera.com/27001academy/becoming-resilient-the-definitive-guide-to-iso-22301-implementation/
- Implementing Business Impact Analysis according to ISO 22301 [free webinar on demand] https://advisera.com/27001academy/webinar/implementing-business-impact-analysis-according-to-iso-22301-free-webinar-on-demand/

ISO 27001 and HiTrust

You can use ISO 27001 framework to partially support HITRUST controls implementation, maintenance, and improvement (i.e., ISO 27001 does not cover the whole HITRUST).

ISO 27001 involves the implementation of a high-level information security management system, while HITRUST involves detailed requirements and controls for the secure creation, access, storage, and exchange of sensitive and/or regulated data.

For more information, please access this link: https://hitrustalliance.net/uploads/CSFComparisonWhitpaper.pdf

If you are interested in the help of ISO 27001, maybe our templates can be interesting for you, so you can download a free version here by clicking on “DOWNLOAD FREE TOOLKIT DEMO”: https://advisera.com/27001academy/iso-27001-documentation-toolkit/ 

By the way, ISO 27799, which is similar to ISO 27001, is an international standard that also focuses on information security for health organizations.

These articles will provide you a further explanation about ISO 27001 applicable to health organizations:
- How ISO 27001 and ISO 27799 complement each other in health organizations https://advisera.com/27001academy/blog/2016/06/13/how-iso-27001-and-iso-27799-complement-each-other-in-health-organizations/
- Comparison of HIPAA compliance and ISO 27001 certification https://advisera.com/27001academy/blog/2021/01/27/hipaa-compliance-vs-iso-27001/

Nonconformity question

First, I don’t use the word “observation” because it is not defined in ISO 9000:2015.

Second, I would raise a non-conformity as being the equipment out of use and without being properly identified as such can promote inadvertent use. Something like:

Measuring equipment shall be identified in order to determine their status (ISO 9001:2015 clause 7.1.5.2b)).
When auditing the production area an equipment was found to be past due for calibration and without status identification, as such can promote inadvertent use.
During the audit a UV-VIS  spectrometer was found to be past due for calibration in the production area. When questioned, the department manager said that the equipment was out of order; but there is no warning sign indicating that.

You can find more information below:

• Monitoring and Measurement Equipment Control - https://advisera.com/9001academy/blog/2014/05/06/monitoring-measurement-equipment-control/
• Free online training ISO 9001:2015 Foundations Course – https://advisera.com/training/iso-9001-foundations-course/
   

ISO 27001 and TISAX

While ISO 27001 and TISAX share information security as the main goal, allowing them to be compared, TISAX is more specific, adding specific security controls for connection with third parties, prototype protection, and data protection.

For further information, see:

• How ISO 27001 and TISAX are related https://advisera.com/27001academy/blog/2019/03/11/how-iso-27001-and-tisax-are-related/