Application of controls, suppliers and HIPPA

1. Out of the two - Background Checks and signing an NDA - which one of these is mandatory? Is it mandatory to have both (or) is it fine for an organization to have the NDA signed by employees without performing background checks (or) conduct background checks but not necessary to sign an NDA? Please help clarify.

Answer: Neither is mandatory for ISO 27001. A control from Annex must be applied only if one of the following occurs:
- There are risks identified as unacceptable in the risk assessment that require the implementation of Background Checks and/or signing an NDA
- There are legal requirements (e.g., laws, regulations) that require the implementation of Background Checks and/or signing an NDA
- There is a top management decision requiring the implementation of the Background Checks and/or signing an NDA

If none of these occur there is no need to implement a control considering ISO 27001 requirements.

These articles will provide you furth er explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

2. An employee's sole responsibility is to create a manual 3rd party or Vendor Risk Assessment (VRA) report by reviewing the documentation on the vendor's control environment shared by the client's vendors. Does it mean that the employee is conducting a risk assessment?

Answer: Risk assessment comprises of risk identification, risk analysis and risk evaluation, and documentation review is one technique to perform risk identification, but this is a very limited one (it should be complemented with interviews, expert opinion, on site observation, etc.). So this activity should be considered only as a part of a complete risk assessment process.

For more information, see:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- How to write ISO 27001 risk assessment methodology https://advisera.com/27001academy/knowledgebase/write-iso-27001-risk-assessment-methodology/

This material can also be helpful:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

3. What are the mandatory requirements for a health care client e.g. HIPPA?

Answer: We are not experts on HIPPA, but ISO 27799, a support standard for ISO 27001 which has a main objective to provide security controls to protect personal health information, has many common points with HIPPA, so you can use this standard to be compliant with HIPAA.

For more information, please see: How ISO 27001 and ISO 27799 complement each other in health organizations https://advisera.com/27001academy/blog/2016/06/13/how-iso-27001-and-iso-27799-complement-each-other-in-health-organizations/

4. Who from the team/organization is responsible to prepare the External Service Provider (ESP) questionnaire?

Answer: ISO 27001 does not prescribe specific roles for information security related activities, so organizations can designate any roles they see fit, or create new one if it is necessary. Considering this specific demand, the person who is currently handling external providers can be designated as responsible for this questionnaire. Another alternative is to designate this activity to the security officer, if there is such role. One important note is that since it involves external providers, legal advice should be considered, since most requirements would be in format of contractual clauses.

For more information, please see:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/