BLACK FRIDAY DISCOUNT
Get 30% off on toolkits, course exams, Conformio, and Company Training Academy yearly plans.
Limited-time offer – ends December 2, 2024
Use promo code:
30OFFBLACK

Expert Advice Community

Guest

Questions about implementation

  Quote
Guest
Guest user Created:   Jun 07, 2023 Last commented:   Jun 07, 2023

Questions about implementation

I have some questions if that's okay! See below:

What documents should we be including under the ISMS? Should the scope mainly include policies and procedures or should we be including all client/supplier contracts, day to day project documents eg. cost estimates / statement of works etc.

Double check internal annual audit - does this need to happen every year? if so, when does this happen e.g., every year from certification? (in our case, we're looking to be certified Sept 2023, so Sept 2024 would be the next internal audit). Is there any leniency on it being 12 months versus 18 months for example?

Remote working policy - this is more general advice, but do we need to add how we manage people working abroad, as they need to be able to work from wherever they can on business which can sometimes mean in a coffee shop or workspace, which we advise against when working in London for security reasons. What do others usually suggest here?

Again, this is more seeking advice, but should client infrastructure be covered under our ISMS scope? We currently are excluding them as we feel we would be covered under their own security policies but just wanted to double check that's accurate/ what the standard is?

Thanks very much!

0 0

Assign topic to the user

ISO 27001 LEAD IMPLEMENTER COURSE

Become certified as an ISO 27001 consultant.

ISO 27001 LEAD IMPLEMENTER COURSE

Become certified as an ISO 27001 consultant.

Expert
Rhand Leal Jun 07, 2023

1 - What documents should we be including under the ISMS? Should the scope mainly include policies and procedures or should we be including all client/supplier contracts, day to day project documents eg. cost estimates / statement of works etc.

The documents to be included in your ISMS will depend on your defined scope, i.e., the processes or locations where the information you want to protect flows.

For example, if your ISMS scope covers only a software development and maintenance process, then the source codes, customer specifications, and policies and procedures related to that process should be included in the ISMS.

In case all your organization is included in the ISMS scope, then all information you mentioned should be included.

For further information, see:

2 - Double check internal annual audit - does this need to happen every year? if so, when does this happen e.g., every year from certification? (in our case, we're looking to be certified Sept 2023, so Sept 2024 would be the next internal audit). Is there any leniency on it being 12 months versus 18 months for example?

An internal audit needs to be performed before each planned audit scheduled by your certification body (i.e., the certification and surveillance audits), so you need to consider the certification body’s audit schedule to check when to perform the audits. In general, certification bodies define a one-year cycle for their surveillance audits, so in this situation, you need to perform at least one internal audit per year.

Regarding when to perform the internal audits prior to the certification’s body audits, there is no prescribed prior period to perform an internal audit, so organizations can perform them according to their needs, provided the internal audits are performed before a scheduled certification/surveillance audit.

Since the internal audit is a mandatory requirement, not performing an internal audit before a scheduled certification body’s audit would be a major non-conformity, which can compromise your certification.

For further information, see:

This material can also help you:

3 - Remote working policy - this is more general advice, but do we need to add how we manage people working abroad, as they need to be able to work from wherever they can on business which can sometimes mean in a coffee shop or workspace, which we advise against when working in London for security reasons. What do others usually suggest here?

Please note that common practices are already covered in the Mobile Device, Teleworking and Work from Home Policy, such as:

  • Access control
  • Backup
  • Storage of device when not in use

This template is located in folder 09 – Annex A Security Controls.

For additional practices to be considered, you need to check the results of risk assessment and applicable legal requirements (e.g., laws, regulations, and contracts).

4 - Again, this is more seeking advice, but should client infrastructure be covered under our ISMS scope? We currently are excluding them as we feel we would be covered under their own security policies but just wanted to double check that's accurate/ what the standard is?

Answer: You should consider in your ISMS scope only the infrastructure you can control, so you should leave the client infrastructure out of your ISMS scope.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 07, 2023

Jun 07, 2023