ISO 9001 Clause 4.1 Understanding the organization and its context

Vincent Delaney and Phil Byrne discuss Clause 4.1 of ISO 9001:2015 to ensure that viewers gain a good understanding of the intent of the criteria. Click here to watch the video(javascript:void(0))

ISO 27001 Clause 4.1 Understanding the organization and its context

Phil Byrne speaks about Clause 4.1 of ISO 27001:2013 to ensure that viewers gain a good understanding of the intent of the criteria. Click here to watch the video(javascript:void(0))

The Contextual Issues Register (Part 1)

Click here to watch the video(javascript:void(0))

ISO 9001 Clause 4.2 Understanding the needs and expectations of interested parties

Vincent Delaney presents Clause 4.2 of ISO 9001:2015 to ensure that viewers gain a good understanding of the intent of the criteria. Click here to watch the video(javascript:void(0))

Phil Byrne is the nominated management representative for the management of relevant data processing aspects, applicable to this website.

Data submitted through this website is directed to the appropriate department to meet the requirements of the processing, as described above. All personnel involved in the processing of data, including PII, are committed to confidentiality and non-disclosure by contractual arrangement. Where necessary, recipients of submitted data will be to external parties, as documented below.

Data submitted through this website is stored on our secure information systems, as follows: • Google Workspace: https://workspace.google.com/;(https://workspace.google.com/) • Wix: https://www.wix.com/.(https://www.wix.com/)

Data Protection Guarantee [Article 13.1(f) EU-GDPR]

To ensure that our external providers are managed effectively, we have obtained appropriate data protection guarantees, which include International Certifications and Approvals including ISO 27001 Certification.

For any queries regarding this policy or the stated controls, please contact us: • By sending an email to : info@enable-iso.com;(mailto:info@enable-iso.com) • By calling us: 00 353 1 224 8601.

For user information submitted through this website, consent is obtained at the point of submission. Where the user subsequently decides to opt-out, withdrawing their consent, this is done by making direct contact, by the various means documented above.

Primary Scope of Our Services

ISO Management Systems Partnership Ltd., trading as Enable ISO, is established to provide Auditing, Contracting & Consulting services to organizations who subscribe to ISO Management Systems Standards and other applicable Codes of Practice.

We are a team of Lead Auditors for ISO Management Systems Standards with a broad scope of experience in numerous business sectors. Our internal peer review mechanism ensures that our customers always receive the very best auditing, consultancy and contracting services, based on their specific requirements.

As a professional services provider, we ensure that all of our customer engagements adhere to the principles of auditing established in ISO 19011:2018 Guidelines for auditing management systems.

Our methodologies are developed to be effective in meeting the relevant requirements, and streamlined to provide for a positive customer engagement.

Stay Up-to-date with Enable ISO

Clicking on the LinkedIn icon below will take you to the Enable ISO Company Page on the LinkedIn website, where you can follow us to keep up-to-date with the latest on ISO Standards as they are regularly revised, with new Standards being introduced occasionally. https://www.linkedin.com/company/enable-iso(https://www.linkedin.com/company/enable-iso)

The Auditors Perspective

All of our Consultant Lead Auditors are qualified IRCA Certified Lead Auditors for the ISO Management Systems Standards we work with. When we engage with our customers, we always bring the perspective of the Certification Auditor to bare, ensuring that the management system is always audit ready.

Ready to Go Total Management System (TMS)

We provide a well developed suite of documents as part of our Total Management System (TMS) offering. All of the documentation, including policies and spreadsheets, audit templates, etc., are introduced through our TMS Training, or as part of the Pathways to Certification, where applicable.

ISO FAQ | Enable ISO - Quality, Information & Privacy Security, Supply Chain

The nominated Enable ISO representative receives notification of the report. • Their responsibility is to evaluate the report to assess the information provided, so that the appropriate course of action can be taken according to the nature of the report. • The representative is responsible for prioritizing the issue or concern reported to determine whether an incident has occurred, and whether there needs to be an immediate incident response to mitigate against further harm. • A decision is made with regard to mandatory reporting requirements to the relevant authorities, where appropriate.

The reporter is contacted by the Enable ISO representative to arrange a meeting to discuss the reported issue of concern. • This meeting can be by telephone call, video conference, or where practicable, face to face, depending on the circumstances, with consideration for the nature of the report and the availability of all relevant parties. • A minimum of a written record of this meeting is documented by the Enable ISO representative. Their responsibility is to ensure that the anonymity of the reporter is preserved. • A decision is made as to whether the reported issue or concern requires further investigation.

The Enable ISO representative makes contact with the organization at the appropriate level, to initiate a formal internal investigation relevant to the reported issue or concern. • The Enable ISO representative will make direct contact with the nominated top management representative of the organization to request that they participate in a formal investigation. • A meeting is convened, to include relevant parties, to the exclusion of the reporter, as appropriate to maintain their anonymity. • The scope of the investigation is established and agreed so that it can be planned and resourced to an appropriate extent to ensure valid results. This includes timescales, relevant access requirements, including the availability of relevant personnel, organizational information, etc. • Where appropriate, an investigation team is established to ensure balanced reporting across all relevant aspects, whether technical, organizational, legal, or other attributes. This may involve outsourcing part of the investigation to a professional services provider to meet the competency requirements of the aspects under evaluation. • The Enable ISO representative is responsible for leading the investigation and reporting on its findings to the organization. • The reporter is kept informed of progress with the investigation as appropriate to their rights and entitlements, where relevant to the reported issue or concern.

The Enable ISO representative convenes a Management Review Meeting to consider the reporting from the investigation. • The Enable ISO representative chairs a meeting with top management to consider the findings and recommendations of the report. This meeting is documented to record relevant decision points and action points. • Actions can include the initiation of the disciplinary procedure, where an individual or group is suspected of wrongdoing; which includes potential breaches of applicable legislation, policies and controls, or other contractual arrangements. • There may also be a requirement for mandatory reporting to the relevant authority. • All action points must be closed out to the satisfaction of all relevant parties in order to close the investigation. • The reporter is informed of the decisions made as a result of the investigation and management review process. Where they object to the results of the investigation, they reserve the right to report the matter to the relevant authority, as appropriate.

ISO Management Systems Partnership Ltd. trading as “Enable ISO” is the data controller for this website. (CRO: 623761) This policy is established to provide you with a clear understanding of how we manage the data we collect through this website, with consideration for security and protection of Personally Identifiable Information (PII). This policy was evaluated and approved by the management team on 18th June 2024 To support our commitment to best practice with regard to information and privacy security management, please see the Information Security Policy Statement (javascript:void(0))which is based on the requirements of ISO 27001:2013, Clause 5.2; and provides our framework for the management of all organizational data, including personally identifiable information (PII), throughout our organization.

The data we collect from users of this website is as follows: • Personal identifiers, including name, organization name, email address; • Our contact form asks the user to submit preference information with regard to service type and their preferred date and time for an initial consultation; • Data submitted voluntarily by email or via the “chat” facility, where the user elects to to provide feedback or make a complaint; • Cookies data via the user's browser settings.

We process your data for the following purposes: • Where the user is required to login to access the “Knowledge Library”; • To process requests for appointments and calendar bookings; • To process user enquiries sent via the contact form, chat facility or by email, including feedback and complaints; • To enrol users in marketing communications, such as; newsletters, product launches, marketing campaigns, etc.

Internally, access to data is provided to only those parties who are involved with the direct processing of user enquiries, purchases, etc. Internal transfers also take place to provide relevant contact information to our consultancy team so that they can engage with customers they are assigned to work with. Enable ISO does not currently engage with third party application providers in the management of data through this website. This website contains links to external websites which are outside of our control. Please read the privacy information for the destination website should you select one of these externally linked websites. At this time, LinkedIn is the only externally linked website to www.enable-iso.com, where we have limited control over the content on the Enable ISO company page, hosted therein. LinkedIn cookies information at the following link: https://www.linkedin.com/legal/cookie-policy?trk=hb_ft_cookie(https://www.linkedin.com/legal/cookie-policy?trk=hb_ft_cookie) Note: Organizations we work with are referenced on the Home page, where their logos are displayed with hyperlinks to their websites.

Rights of Data Subjects We are committed to ensuring that our obligations toward the data protection rights of users of this website are effectively met, as follows: • The right to access: All user data stored on our information systems is available to the data subject upon request by contacting us directly as documented above. Typically, we provide this data in digital format sent to the user-provided email address, unless other specific arrangements are agreed; • The right to rectification: Where a user identifies that stored information is inaccurate, this can be easily corrected by direct contact, as above; • The right to erasure: Where relevant conditions are met, users of this website can request that their personal data is erased by direct contact, as above; • The right to restrict processing: Where relevant conditions are met, users of this website can request that the processing of their data is restricted to specific purposes; • The right to object to processing: Where relevant conditions are met, users of this website have the right to object to their data being processed in any manner; • The right to data portability: Users of this website can request that their data is transferred to a third party organization nominated by them, by direct contact with us, as above. Upon receipt of a user request to exercise any of these data protection rights, we are committed to responding to meet our obligations within the earliest practicable timeframe, which will not exceed 30 days.

To ensure that user information submitted through this website is always managed securely, we have implemented technical and organizational measures, appropriate to the nature of the processing and the data being processed. • All personnel assigned to processing activities are subject to confidentiality and non-disclosure clauses in their contracts of employment; • Information systems are secured with various controls, including: • Encryption of data repositories and endpoints; • Malware protection. To provide a framework for best practice throughout our organization with regard to information and privacy security management, we have implemented a formal management system which is closely aligned to ISO 27001. We regularly review this privacy policy to ensure it remains suitable and effective in communicating all relevant privacy information, as required by our website users and applicable legislation.

For those who would like to request information, enforce their rights as data subjects, make a complaint, or other relevant matters, they are advised to seek a remedy from us in the first instance, by contacting us directly as documented above. If our response does not adequately meet your expectations with regard to your data protection rights, please contact the National Authority: Data Protection Commission 21 Fitzwilliam Square South Dublin 2 D02 RD28 https://www.dataprotection.ie/(https://www.dataprotection.ie/)

Cookies are small pieces of data stored on a site visitor's browser. They are typically used to keep track of the settings users have selected and actions they have taken on a site. Our website uses first-party and third-party cookies for several purposes. First-party cookies are mostly necessary for the website to function the right way, and they do not collect any of your personally identifiable data. Click on the “Cookies settings” link at the bottom of this page, to manage your cookie preferences.

Cookies deployed to manage links to third party processors, as notified above, are described in the cookies settings management section of this website. The third-party cookies used on our website are mainly for: • understanding how the website performs; • understanding how you interact with our website; • keeping our services secure; • providing advertisements that are relevant to you; and • providing you with a better and improved user experience and help speed up your future interactions with our website. Please clink on the "Cookies settings" button at the bottom of this page to review and manage relevant cookies.

The following links explain how to access cookie settings in various browsers: • Cookie settings in Firefox: http://support.mozilla.com/en-US/kb/Enabling%20and%20disabling%20cookies;(http://support.mozilla.com/en-US/kb/Enabling%20and%20disabling%20cookies) • Cookie settings in Internet Explorer: https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies(https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies) • Cookie settiings in Google Chrome: http://www.google.com/support/chrome/bin/answer.py?answer=95647;(http://www.google.com/support/chrome/bin/answer.py?answer=95647) • Cookie settings in Safari (OS X): http://support.apple.com/kb/PH17191?viewlocale=en_US&locale=en_US;(http://support.apple.com/kb/PH17191?viewlocale=en_US&locale=en_US) • Cookie settings in Safari (iOS): https://support.apple.com/en-us/HT201265;(https://support.apple.com/en-us/HT201265) • Cookie settings in Android: https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DAndroid&hl=en&oco=0;(https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DAndroid&hl=en&oco=0) • To opt out of being tracked by Google Analytics across all websites, visit this link: http://tools.google.com/dlpage/gaoptout.(http://tools.google.com/dlpage/gaoptout)

Enable ISO recognizes that through the day-to-day operation of its business, we have an impact on our internal and external environment. Also, we ensure that due consideration is given to the potential impact that information and privacy security aspects may have on the operation of our core processes. As a result, Enable ISO has established this Information Security Policy Statement, to communicate awareness and understanding of data protection throughout the business. Enable ISO has implemented this policy statement to provide guidance to all interested parties on our approach to managing personal information throughout our organization, with full consideration for our obligation toward relevant data protection legislation, including EU-GDPR. The company management system has been developed to include appropriate measures determined by the ISO 27001 Standard.

To ensure that all relevant interested parties have a clear understanding of our approach to information and privacy security management, we have adopted the following definitions for the term “information security” • The preservation of confidentiality, integrity and availability of information. (ISO 27000:2018, Clause 3.28) • The state of being protected against the unauthorized use of information, especially electronic data, or the measures taken to achieve this. (Oxford Languages) For the purposes of conformity to EU-GDPR, information security management extends to cybersecurity and privacy protection.

While Enable ISO ensures that all personnel consider process related Information & Privacy Security impacts, we have also identified the following aspects for particular attention; • Enable ISO ensures that we meet relevant regulatory requirements and minimise any adverse Information & Privacy Security effects caused as a result of our activities, • That we raise awareness, provide knowledge and support to employees on Information & Privacy Security management, • Give training on the importance of protecting business and customer information throughout our business, • Promote an awareness of Information & Privacy Security objectives, • Regularly review our Information & Privacy Security practices and policy in accordance with the principles ISO 27001, • Establish performance objectives, targets and management programmes to achieve these.

Where appropriate, Enable ISO has determined specific mechanisms to control how personal data is managed throughout operational and support processes, based on the following precepts with consideration for Article 5 of the GDPR directive (Principles relating to the processing of personal data); • That personal information gathered is only done so for the legitimate purposes of our business, including where necessary, legal and regulatory purposes, • Only the minimum amount of information necessary for effective operations is processed, • Where Enable ISO requires that children’s information is processed, training is provided to personnel involved so that they are aware of the relevant vulnerabilities and controls, • Where necessary to collect information directly from children, additional control measures are in place to ensure adequate protection, • Enable ISO ensures that we only process relevant and adequate personal information throughout operations, • That personal information is processed in a fair and lawful manner, • Enable ISO maintains an inventory of categories of personal information processed by the organization, • That all personal information is kept accurate and up-to-date, • All personal information is only retained for as long as is necessary for legal or regulatory reasons or for legitimate organizational purposes, ensuring it’s timely and appropriate disposal, • That in all circumstances, the rights of natural persons to their personal information is respected, • Adequate resources have been allocated to ensuring that all personal information processed and stored by Enable ISO is done so in a secure operational environment, • That transferring personal information outside our national boundary is only done in circumstances where it can be adequately protected, • Where we are providing our goods and services to EU citizens across national boundaries, Enable ISO ensures that appropriate regulatory aspects are addressed, • Enable ISO does not currently carry out any operations where the application of the various exemptions allowable by data protection legislation is required, • We have developed our management system to provide for the formal management of personal information, which provides for all measures documented herein, • Enable ISO has identified internal and external interested parties and the degree to which they are involved in the governance of the organization’s management system relevant to personal information, • Top management has appointed management representatives for with specific responsibility and accountability for personal information within the management system, • Appropriate records of processing of personal information is maintained throughout operations.

All risk assessments are carried out with the main objective being to manage the confidentiality, integrity and availability of company information and systems. Management has developed and approved the Organizational Risk & Business Continuity Management Policy Statement to provide an overview of the Enable ISO methodologies for risk assessments, risk treatments, incident response and business continuity. All relevant personnel are provided with the necessary resources to prepare for and respond to potential threats to information security, with regular testing and evaluation of our incident response and business continuity planning, for continual suitability and effectiveness.

Enable ISO has implemented an Internal Audit Programme to ensure the ongoing suitability, conformity and continual improvement of the management system is assured. The management system has the full support of all interested parties. Information and privacy security aspects are considered at our management meetings, where the results of internal audits and risk assessments are considered for continual suitability and effectiveness. All operational and support processes are within the scope of the management system. Relevant personnel have been provided with a copy of this document, and it remains available in the Enable ISO document system for further reference.

It is the policy of Enable ISO to provide our Auditing, Contracting & Consultancy services that always meet and where possible, exceed our business objectives and customer requirements, based on the following precepts: • The requirements of our customers are collected effectively to ensure that Enable ISO is capable of achieving customer expectations; • The requirements of all interested parties are clearly understood so that our products and services can be delivered in a timely and professional manner; • All processes employed by Enable ISO to deliver our services are determined, resourced appropriately, documented, monitored and measured to ensure conformance to: • Customer requirements, • Business objectives, and • Any applicable industry regulations and legislation, • All Enable ISO employees are competent for their area of work through academic achievement, training and experience, where appropriate; • Effective mechanisms are in place to monitor and measure customer satisfaction so that Enable ISO achieves its commitment to continual Improvement.

To provide for this policy, Enable ISO has established a management system in line with the requirements of the ISO 9001 Standard. The management system is an integral part of our process management and the organization is dedicated to its continual improvement by: • Providing clear focus on priorities by establishing business and quality objectives, which are reviewed periodically through the management review process; • Making available the necessary resources to ensure that the management system remains effective in achieving business and quality objectives, conforming to the requirements of the ISO 9001 Standard; • Top management’s participation in the monitoring and measurement of the performance of the management system is focused on providing an effective framework for acting on opportunities for continual improvement.

Enable ISO has implemented an Internal Audit Programme to ensure the ongoing suitability, conformity and continual improvement of the management system is assured. The management system has the full support of all interested parties. All operational and support processes are within the scope of the management system. The TMS is subject to management review at least once annually. All personnel have been provided with a copy of this document, and it remains available in the Enable ISO document system for further reference.

Our experience to-date is that when we employ our structured approach to engaging with our customers, on whichever Pathway to Certification they choose, the commitment and buy-in from all parties becomes critical to the success of the engagement. We commit to providing our customers with the very best Auditing, Contracting & Consultancy services to ensure that their ISO Journey is not only successful, but also enjoyable, with measurable values achieved along the way.

We are fully IRCA qualified and practicing Lead Auditors for the ISO Standards we work with. We are also involved in the development of ISO Standards at National and International level, representing Ireland in the ISO Community. Our experience working with organizations across most commercial sectors brings real understanding for the constraints upon most. Our proven methodologies bring success, even in the most complex working environments. In recent times we have developed a close relationship with a number of organizations in the Software Engineering sectors, where Information Security has become significant relevant to EU-GDPR. Our service delivery to meet the requirements of ISO 27001 and relevant supplemental ISO Standards, has proven to be a successful offering to this particular market.

Our Guidance on Auditing, Contracting & Consultancy Hours (javascript:void(0))provides our prospect customers with practical information on the level of engagement required to achieve ISO Certifications with Enable ISO, regardless of the size and type of organization. Our objective here is to be as open as possible on pricing and to provide an indication of the amount of contracting or consultancy required for success, dependent of the chosen Pathway to Certification.

We offer our customers a broad range of choices to meet their exacting needs. Our Pathways to Certification provide opportunities for any organization, regardless of their type and size, to achieve Certification to ISO Standards. The level of engagement from us at Enable ISO is tailored to meet the requirements for each of our customer organizations, with full consideration for the Scope of Work arising from the Gap Analysis, the availability of internal resources, and other relevant factors. Given that Pathways 3 & 4 involve engaging directly with our customers on detailed contracting and consultancy projects, we can guarantee that the management systems will alway be audit ready throughout the customer engagement, once initial development and implementation work is complete.

To ensure that all of our customers achieve their ISO Certification objectives, we engage with the key people in the organization to ensure that the development and implementation of their management system, is driven by values and not just a tick-box exercise. Our streamlined methodologies are borne out of many years of working with organizations who are on their ISO Journey. The principle we work to is that when we ask for something to be done, it will either be a specific requirement of the subscribed Standard, or it will bring a measurable value to the organization. Our day-to-day work is ISO: This has brought with it a comprehensive and distilled understanding of how to bring an organization along their Pathway to Certification.

Our areas of work stem from our own collective experience working in commercial sectors. Our backgrounds are largely in technical areas, Software Development & Engineering, Electrical Engineering, Telecoms & Utilities, Warehousing, Transport & Logistics, Professional Services, including Architects and Engineers. In the Construction and other sectors we work with a number of customers, particularly for those who operate in formal tendering markets. We have a strong connection with the PSA regulated Security Sector as our team is involved in auditing to licencing requirements.

This management systems standard is the most popular of all the ISO Standards, with over one million organizations registered, in more than 170 countries around the globe. The criteria is established at a high level and remains applicable and scalable to any organization, regardless of type or size. Setting out the criteria for quality management of all aspects of an organization, this Standard is critical to many business sectors, particularly in formal tendering markets.

For organizations who take information and privacy security management seriously, ISO 27001 is the go-to Standard. It is developed in conjunction with ISO 27002 which provides guidance for organizations on the appropriate technical and organizational measures required for effective management of Organizational, People, Physical & Technical controls. Importantly, this Standard is accepted as best practice in the management of the security elements of EU-GDPR.

The ISO 27000 series of Standards have become commonplace where trading relationships rely on assurances over the governance of information security, cybersecurity and privacy protection. Since the EU-GDPR came into effect, organizations around the globe have registered to ISO 27001 to help them demonstrate conformance to the security elements of the legislation. In particular, Annex A of ISO 27001 provides for the relevant technical and organizational measures appropriate to the organization's needs, dependent of the criticality and complexity of the processing, and the sensitivity of the data being processed. The relationship is further extended, with the use of ISO 27002 to provide guidance on those technical and organizational measures, helping organizations understand the level of formality required for their own information security management. In addition, ISO 27701 provides for privacy information management, specifically relevant to EU-GDPR. In Ireland, as with many other juristictions, these important Standards have been adopted by the INAB and NSAI as "National Standards". This adequately provides for the requirements of the Data Protection Commission to establish a recognized certification scheme according to Articles 42 & 43 of EU-GDPR (and UK-GDPR).

The new Enable ISO Statement of Applicability (SoA): A Brief Overview

To meet the needs of our customers we have prepared a new Statement of Applicability (SoA) spreadsheet, which can be used to prepare for the transition to the latest criteria.

This short video clip looks at the FDIS of ISO 27002 to identify the source of the criteria for the newly developed Enable ISO SoA spreadsheet system, and how our customers can use it to prepare for their organization's transition to the new edition of ISO 27001, once revised to incorporate the new structure of ISO 27002.

Watch the Video

Pleace click on the link above to learn more about the Enable ISO SoA.

Making the changes to meet the new requirements of ISO 27002

For organizations who are new to the ISO Standards for Information & Privacy Security Management, and those who are already familiar, and registered to ISO 27001:2013, we offer our proven Information & Privacy Security Gap Analysis service.

Contact us to request a Free 60 Minute Consultation to discuss the scope of an ISO 27002 Information Security, Cybersecurity & Privacy Protection Gap Analysis for your organization.

This gap analysis is delivered by our experienced Consultant Lead Auditors, with a proven track record in helping organizations achieve ISO 27001 Certifications.

For comprehensive information on this important service, please go to our ISO 27002:2021 Gap Analysis page.

Process Analysis:

We introduce the Process Risk Register, which is the mechanism used to document core operational and support processes.
These core processes are identified so that the nominated management representatives can consider the high level operational activities which need to be considered from an internal auditors perspective.
We look at how the Process Risk Register is used to document these processes in linear sequential order.

Data Protection:

We introduce the Statement of Applicability (SoA) which documents the organization-wide information and privacy security controls. At this point, we consider the structure of the SoA, its purpose, and in particular; that it must contain a description of the control agent, or a significant justification for its exclusion, where determined not applicable.
We also briefly look at the mechanism within the SoA for determining the evaluation frequency or information and privacy security controls, to assure us of their continual suitability and effectiveness.

Documenting issues and concerns which may potentially negatively impact the organization, considering all aspects within the scope of the engagement so far.

Identifying relevant interested parties that are important to the organization, and considering related issues and risks.

The operating environment relevant to EOHS needs to be considered to establish those issues which need to documented formally so that we can prepare for risk assessments through future sessions. All organizations will have compliance obligations toward their interested parties relevant to EOHS.

The management team take away action points to begin documenting the operational and support processes under their responsibility, to describe the associated activities and their expected outcomes.

High level policies for information and privacy security are introduced in month 1.
The management team will need to set aside some time to review these documents so that they can be discussed in detail in month 2.
Also, as part of this months analysis, we look at the requirement for information security responsibilities to be "defined and allocated".
How the organization provides for mobile devices and teleworking is considered in month 1. This is a very important aspect for those organizations who rely heavily on remote working.
Relevant policies are to be approved for use and included in the SoA.

Process Analysis:

Determining the key activities within processes where specific performance indicators are identified.
At this point, we begin to consider what could potentially prevent the process from achieving its expected outcomes.
Using the Process Risk Register to determine the potential issues which may negatively impact our processes, we are now making progress toward effective risk management.

Data Protection:

We look at the technical controls established to prevent negative impacts, and what information needs to be provided through the Process Risk Register.
Asset management is considered in detail. At this stage, we are establishing what has to be controlled, how, and by whom.
The requirement for an inventory of assets is considered, with further consideration for centralized management of these assets.
Media handling. particularly the disposal of hard and soft copy data, hard drives, etc., and the transfer of physical media is considered in detail.

Clause 5.1 of all ISO Standards addresses aspects of leadership which cannot be delegated beyond the management team. Primarily, management is asked to consider its commitment to the management system, delegating responsibilities and authorities, accordingly.

Our high level Quality Policy and Information & Privacy Security Policy are looked at in brief during our remote working sessions. Management is asked to review and approve these documents for inclusion in the TMS at this point. The organization will be required to make these policies available to all relevant personnel and interested parties, internal and external.

Note: These policies have an important function in formal tendering markets.

Typically, most organizations will have some clarity around responsibilities for information assets, as a starting point. Here, we focus on documenting the key aspects of asset management which need to be included in the SoA.

Information classification is carried out on our Data Inventory Register, which will need to be completed to document all of the data being captured by the organization for processing and storage.

How the organization provides for the management of media, including removable media, need to be controlled to the extent necessary to be assured of adequate data protection.

Process Analysis:

Operational and support processes are evaluated to establish the responsibilities and interdependencies associated with each high level activity. Where appropriate, relevant authorities associated with process activities need to be considered at this point.

We introduce the General Audit Template, looking at how we tailor it to meet the audit objectives of each core process, the scoring mechanism, and begin our consideration for auditing processes to meet the expectations of a certification auditor.

Data Protection:

We identify the information assets being processed at each stage, establishing the lifecycle of the data through each core operational and support process. (Dataflow).

The requirements for formal personnel management policies relevant to information and privacy security are evaluated to determine organizational controls on people joining and leaving the organization. The controls necessary for managing information security aspects relevant to personnel who are changing roles within the organization are also considered.

From an operational perspective, the focus needs to be on documenting each core operational and support process, to the extent necessary, to provide the reader with enough information for them to understand what is expected of them when carrying out their process activities.

When considering information and privacy security, the team will be identifying the potential negative impacts upon the data within their processes. These impacts are to be categorized as to their effect upon Confidentiality, Integrity and Availability.

With regard to personnel management, the organization needs to formalize its approach to governing what happens when people are occupying and leaving roles with access to information systems.
Policies are provided in generic format within the SoA for consideration.
Management is asked to edit these policies to meet their own needs and approve for use, accordingly.

Process Analysis:

With our internal audit function beginning to deliver some audit results, we are making progress, this month including considerations for risk management. The obvious moment for us to test our assumptions with regard to risk management effectiveness, is when we are carrying out our internal audits.
We look closely at a couple of key processes to consider our approach to risk management through internal auditing, taking some examples through full analysis on the Process Risk Register.
At this time, we being to think about the what if's? What if our risk treatments fail? We use the Contextual Issues Register and the Process Risk Register to document our initial considerations for incident response and business continuity management.

Data Protection:

With our focus on risk management across both ISO 9001 and ISO 27001, we continue this month with the introduction of the Enable ISO SoA Monthly Audit Template.
This audit tool is used to carry out monthly hygiene checks on the established information and privacy security controls to ensure that they remain suitable and effective. We look at the structure of the template, which includes the controls we have looked at on the SoA to-date, where we have determined that a monthly evaluation frequency is required to maintain effective control.

Our considerations for risk management now focuses on risk treatments. Actions to address risks and opportunities determined earlier at Clause 4.1 (and 4.2) are now considered, so that we can determine the risk mitigations necessary to prevent potential negative impacts.

It is important to note that some of these contextual issues ,ay have a direct influence on our thinking when considering operation of processes and what needs to be documented on the process risk register with regard to process instruction.

We refer back to the Organizational Risk & Business Continuity Policy, which was introduced earlier in the project, to review its references to risk assessment and risk treatment criteria.

At this stage, we also take a look at physical and environmental security. Keep in mind that remote working organizations are not excused from the criteria: In fact, organizational requirements for physical and environmental security considerations may increase when determining the controls necessary for effective data protection.

Personnel responsible for managing information systems will be taking on some internal audit inspections to inform the internal audit function. This aspect will be discussed in detail to ensure that the applied internal audit control is effective to meet the expected certification audit requirements.

Process Analysis:

The Internal Audit Programme being developed month by month should now be at a stage where the results of internal auditing should be providing some value.
Importantly, when considering risks and opportunities, including organizational objectives, we look at the internal audit function in how it evaluates our risk mitigations and treatments, organizational objectives for improvement and change, etc.

Data Protection:

Our monthly look at inspections and testing of the SoA controls through the SoA Monthly Audit function should also be delivering results. This is a hygiene check, akin to checking the oil and water in your car engine, and should not be onerous.
The levels of inspections and testing carried out by an organization should be directly proportionate to the criticality and complexity of the organization and its information processing systems.
Much of the work done to carry out inspections of SoA controls is by accessing activity logs, reporting mechanisms, including reports from external service providers relevant to information systems.

Organizational objectives with regard to quality and information security are to be documented on the Enable ISO Objectives Register. It is important to note that established objectives must be measurable, as in, they should be achievable, and can be actioned and completed.

Change management also featured in our analysis this month. Our approach to change management is that significant changes are treated as processes, and documented on the Process Risk Register, where appropriate.

We ask the management team to consider the changes that require formal planning, so that they can be managed through the TMS.

Process Analysis:

We evaluate the IAP Schedule. This spreadsheet is used to plan our internal audit programme, with full consideration for the criticality and complexity of the processes.
Process auditing should be developing to a stage where we are now in a position to consider the results of audits as inputs into management review. What are the metrics that have a decision making value?

Data Protection:

Communications security, from an operational perspective, can be a straightforward consideration, with most organizations having good security controls in place for the management of internal and external communications. Here we need to be a little more formal, particularly with regard to any external entity.
The frequency of inspections and evaluations relating to network security and data transfer is considered as we look again at the SoA Monthly Audit Template.
Our SoA development considers network security controls, and network services.
All aspects of internal and external data transfers are evaluated to consider organizational requirements for formal non-disclosure and confidentiality agreements.
We look at IT services from external providers, including web and power suppliers, to identify areas that need to be monitored through the internal audit functions.

Through the ISO 9001 lens, we consider the resourcing of operations, and the TMS, to provide for effective operations. Organizational requirements for buildings, supporting utilities and services are evaluated to evaluate how we are going to document our response to the criteria of the Standard.

To this effect, we introduce the Resourcing Register, which employs the 5 M's:

Manpower;
Materials;
Machinery;
Methodology, and;
Mother Nature (Environmental).

While there is no direct requirement for us to document this aspect in such a manner, it is a useful exercise, as it allows us to formalize the high level resource requirements for operational and support processes, and systems where appropriate. The feedback from certification auditors is also very positive, which can't be a bad thing.

From an ISO 27001 perspective, we are working through very technical criteria, which is typically the domain of IT professionals, usually with a technical competency.

In many cases, it is at this stage that may be working directly with outsourced IT Services providers, where applicable.

The development of the SoA should be well underway, with this months focus being on network security and data transfer. Typically, we find that out customers provisions are more than adequate in this regard, with the main action points relating to the need to document the relevant controls, formally.

Process Analysis:

At this stage of the TMS Project, internal auditing of operational and support processes in well established, with regular auditing taking place.
Our experience is that it is at this stage that our customers use this section of the project to soundboard their own findings with their assigned consultant, taking into consideration the level of detail in their audit reports, how they are documenting their findings, and how they are treating identified nonconformities and corrective actions.
Our objective is to make sure that we are capturing all of the primary elements of each process for consideration relevant to operational effectiveness, information security and other aspects relevant to risk management, objectives for improvement, etc.

Data Protection:

The technical controls required for information systems acquisition are considered. Your certification auditor will expect a forma approach is taken to determining the security requirements for new systems, equipment, especially when relying on external service providers to fulfill organizational requirements.
The organization is also expected to consider this aspect when making changes and upgrades to information systems.
Application service transactions, particularly relevant to organizations with ecommerce platforms, are to be considered for the controls necessary to prevent unauthorized access and potential tampering of the transactional information.
Organizations who develop and maintain their own software applications, whether it is their primary service offering, or in support of their core business, will need to provide a formal approach to their software engineering operations. The expectation is that there will be an established set of criteria, or code of practice, in place to govern this aspect of the organization.
The testing and deployment of software applications is also considered at this time. This aspect is relevant to all organizations who use software applications to support their operations, whether they are a software engineering operation or not. Consider changes to software applications, transitions to new applications, etc., and the potential negative impact should something go wrong.

The competency requirements of the organization are to be documented, using the Role Definitions Register, introduced earlier in the TMS Project. Academic qualifications, training and experience are just some of the considerations which need to be established for each identified role.

Note that there are a number of professionally protected terms, such as; Engineer, Architect, Accounting Technician, Project Manager, and more, which your certification auditor will expect are formally validated to ensure the authenticity of the qualification. This also extends to personnel in key roles, regardless of the qualification.

Management needs also to consider the requirements for making personnel and other relevant interested parties aware of the established policies and controls for both quality and information security. Enable ISO provides its customers with an Induction Training Presentation, which we can deliver through a remote working session, where necessary.

Communications also needs to be considered. While we have addressed some of the technical aspects for information security controls, the organization now needs to establish its own requirements for formal communications, from establishing the requirements of products and services, communicating with its interested parties, etc.

We also encourage our customer organizations to consider their own requirements for media communications planning. Think about it! Is your organization likely to face media attention following a breach of your customer data?

Documented information is also to be addressed with a formal approach to the management of the creating and updating of TMS documents to be established.

Document control features in our analysis this month. We look closely at organizational requirements to ensure that we have appropriate levels of formality in this regard.

Process Analysis:

Our Internal Audit Programme is now well developed, with all operational and support processes within the scope of the TMS being audited. At this point we turn our attention to analysis of the trends emerging through the IAP functions. The results of repeated audits, progress made on identified nonconformities, etc.
Your certification auditor will expect that there is effective prioritization of activities relating to corrective actions. The CAR Register is reviewed to ensure that the rationale behind these corrective actions is documented appropriately.

Data Protection:

Similarly, the audit expectations for monthly SoA control checks and inspections are that the organization is regularly checking "under the hood" rather that waiting for a "red light on the dashboard"...
We look at the results of these inspections from an auditors perspective to ensure that we are making good progress.
We also use the IAP section of the project to look at our obligations for information security risk assessments and risk treatments. The Process Risk Register is used to document the relevant risks associated with process and systems activities. We review the risk management provisions to ensure that the information documented is relevant and suitable for use.
Supplier relationships are also featured this month within the context of the IAP. We look at the generic External Provider Evaluation Template which we provide for consideration. The organization will use this as a guide to preparing its own audit templates for inclusion in the TMS.
Audit expectations are that an organization will ensure that the level of control exercised in the management of external providers will be directly proportional to the level of involvement of that provider in operations and the delivery of products and services.

At this point of our analysis of both Standards, ISO 9001 & ISO 27001, we come to a distinct divide in the direction of their considerations.

For ISO 9001 management needs to consider how it established the requirements for the delivery of its products and services. We can use the Resourcing Register, which we introduced earlier to document the high level resources required for effective operations. The purpose of this set of criteria is to ensure that the organization is fully prepared to carry out its process activities, with all of the required process inputs available: The 5 M's.

For organizations where design and development are core, the design lifecycle provided in the ISO 9001 Standard at Clause 8.3 is comparable with most established methodologies. The management team are asked to consider their own disposition with regard to this criteria to establish its own response.

Control of external providers comes into focus this month. This is a critical aspect relevant to all ISO Standards, particularly where an organization relies on subcontractors for the delivery of its products an services. Attention should be on the inputs into processes, to ensure appropriate levels of control are established, and how external providers are to be managed where they are involved on the delivery side of the business.

Complimentarily, we are looking at supplier relationships through the lens of information security at this stage. Your certification auditor will expect a very formal relationship with critical service providers, where data transfer and data processing is important.

To what level an organization needs to manage service providers relevant to information security is an important consideration in EU-GDPR. Management will need to consider the application of the recommended Standard Contractual Clauses, or "Model Clauses", published by the EU Commission for this purpose.

Organizations who work with external providers outside of the EU will need to consider this aspect carefully.

Process Analysis:

With the IAP delivering regularly on its process auditing, we consider the criteria of this months ISO 9001 Clauses 8.5, 8.6 and 8.7, to ensure that we are evaluating established metrics within the audit function.
We want to make sure that the internal auditing is capturing the effectiveness of monitoring and measurement mechanisms, reporting functions, training, and the effectiveness of risk treatments and other controls applicable to operations.
The IAP function should also include consideration for the established acceptance criteria for delivery of products and services, throughout operations.

Data Protection:

Continuing the development of the SOA, this month we are considering the organizations provisions for incident management, relevant to information security.
For most organizations, they rely heavily on being able to react to live reporting of incidents, particularly with regard to phishing, malware and other cybersecurity threats.
From an internal auditors perspective, we need to ensure that appropriate levels of planning are documented for those risks which may have an impact on information systems. Regular testing of incident response plans is considered at this point, to establish a dynamic between the technical team and those carrying out the internal audits.
For example: It may be that the auditor will want to verify effective control of restore from backup, once per calendar month. However, the technical team may well be carrying out this function at numerous points to meet organizational and customer objectives. The audit moment is to provide for a consideration of whether the established control is working for the organization, to demonstrate best practice in this regard.

Scope of Work

Monitoring of operations features strongly this month, with a focus on delivering products and services with the appropriate levels of monitoring and measurement, reporting, and ongoing analysis and evaluation to ensure effectiveness.

Management needs to consider their own requirement for documenting acceptance criteria for products and services delivery to ensure that customer and organizational objectives are met.

Note that measurement traceability is important for organizations who require formal calibration of equipment for the effective management of processes. This is an important aspect, and must meet the requirements of National legislation in this regard.

Controlling nonconformities is also important at this point. Your certification auditor will expect that the organization has a formal approach to identifying, segregating and treating nonconforming products an services, to ensure that they are not used without corrective action. Where appropriate, your auditor may spend additional time on this aspect where it is an important consideration for the organization.

With regard to information and privacy security, management needs to consider how it is to prepare for audit to demonstrate that it tests its incident response controls, failovers, etc., to ensure that it is prepared for all determined potential risk impacts, to appropriate extents.

Process Analysis:

The results of out IAP functions and activities are to be considered in detail this month to ensure that the reporting is providing valuable input into the management review meetings.
Your certification auditor will expect that the reporting data from operations, along with the results of the internal audits, are adequately providing for "evidence based decision making".

Data Protection:

Having considered incident response through the sessions last month, we now look at organizational requirements for business continuity planning.
The analogy is that it is one thing to prepare for putting out the fire. But what does the organization need to do to continue its data processing operations during and subsequent to an incident?
Here we look a little closer at organizational provisions in this regard to ensure that your certification auditor's expectations are adequately met. Redundancy provisions relevant to business continuity are also considered at this time.

Once we have established the data reporting from operations, our ISO 9001 considerations now look to the analysis and evaluation of process data with regard to management reporting. Responsibilities for analysis and evaluation are determined, with consideration business and customer objectives, nonconforming product, etc.

This month we also need to look at completing the IAP Schedule planning for the full 12 month cycle of internal auditing that is to take place subsequent to the certification audit.

Having spent some time evaluating the criteria of Clause 9.1.2 of ISO 9001, Inputs into management review, management is asked to use the Management Review Form provided to formally document their meeting, making sure that all TMS aspects are considered according to the fixed agenda within the structured template.

Of course, let's not forget information security considerations at management review. Our SoA Monthly Audits provide important inputs into this function, with regard to the effectiveness of the established protocols. It is important that the results of these monthly inspections are also considered from a business continuity perspective.

Process Analysis:

Now we consider the "Act" part of the "Plan, Do, Check, Act" lifecycle of the Standards.
How he organization implements changes based on the decisions made at management review is evaluated to ensure that the organization can demonstrate that it treats this aspect formally, and to good effect.
The prioritization of actions arising from the management review meetings are important, as your certification auditor will expect that the organization considers all aspects, including contextual issues, the requirements of interested parties, organizational objectives, compliance obligations etc., when deciding where to commit its resources in this regard.

Data Protection:

The function of internal auditing relative to evaluating the organizations performance toward compliance with legislative and contractual requirements is considered this month. Your certification auditor will expect that this aspect is regularly evaluated through the IAP functions.
An independent review of the SoA controls is a mandatory requirement when presenting for audit to ISO 27001. Enable ISO monthly reporting, while incremental, amounts to an overall review of the entirety of the SoA. We review these reports to ensure that all critical controls have been evaluated, and that the resulting action points are adequately documented and closed out according to effective prioritization.

This month, to compliment our analysis of Clause 10 of both ISO 9001 and ISO 27001, we look at the results from the management review meetings and how they are addressed within the TMS.

The organization needs to ensure that appropriate actions are drawn from their management meetings, whether they are relating to nonconformities or indeed, improvements.

The established CAR & Objectives Registers are to be used to document these actions accordingly, with regular reviewing being carried out to ensure good progress is being made.

Our information and privacy security considerations are this month focusing on compliance obligations, with regard to both contractual and legislative requirements. In particular, there is the consideration for EU-GDPR and its requirements for formality around organizational practices in this regard.

We also look at the mandatory requirement for an independent review of the SoA controls to ensure objectivity with regard to their application and effectiveness.

This edition of ISO 27002 establishes the criteria for best practice in the management of Information Security, Cybersecurity & Privacy Protection, relevant to both ISO 27001 and EU-GDPR. The controls required to meet the requirements of this Standard correlate comprehensively with the legislative requirements of EU-GDPR, for appropriate technical and organizational measures, organization-wide.

For a brief introduction to this Standard an the Enable ISO Statement of Applicability (SoA), please click on the following link.

Watch the Video

Introduction

Subsequent to our initial Scope Meeting, where we discuss the scope of the gap analysis relevant to the organization, we open our Gap Analysis engagements with 3 sessions.

Where the organization has prepared a Statement of Appicability (SoA), the initial evaluation is required so that the assigned Consultant Lead Auditor can assess the disposition of the organization relevant to the requirements of the Standard and EU-GDPR.
For organizations who are beginning their ISO journey, we amalgamate the time allocated for the initial evaluation with the Opening Session, so that the relevant aspects can be discussed to plan for an effective gap analysis.

Initial Offline Evaluation

This initial engagement includes a high level review of the organizations Statement of Applicability (SoA) along with relevant policies and records to support their compliance obligations toward information security.

This evaluation is carried out by the assigned Consultant Lead Auditor, who will then lead the gap analysis through to completion.

Time allocation: 60-90 minutes, depening on the organization.

Opening Session

A meeting to introduce the audit methodology and prepare for the scheduled sessions.

This meeting also provides an opportunity to discuss relevant Contextual Issues, including those associated with the requirements of Interested Parties.

At this stage of the analysis, stategic interests need to be considered, where they may have a portential impact on the organization's ability to effectively manage information security.

Time allocation: 60-90 minutes, depening on the organization.

Offline Internal Evaluation

Organizational documentation is evaluated by the auditor to determine requirements for evaluation throughout the engagement.

The assigned Consultant Lead Auditor will use the learnings from this evaluation to effectively prepare for the scheduled gap analysis sessions to follow.

Time allocation: 120-240 minutes, depening on the organization.

Each session looks at a number of subclauses of ISO 27002:2021, grouped by topical aspect and function. This element of the gap analysis evaluates the organizations disposition toward organizational controls required for effective information and privacy security management.

There are 6 remote sessions to be arranged of varying durations. Each session may require the participation of different management representatives, dependent on their responsibilities toward information security relevant to the analysis criteria.

Part 1: Management Responsibilities

A meeting with the leadership team to evaluate the organization's position with regard to policy requirements, management responsibilities, and how internal and external contextual issues relevant to information security are identified to inform threat intelligence.

In addition, governance with regard to project management, regardless of the type of project, is considered, where relevant to the organization.

It is expected that the nominated management representatives participating in this session will have a good understanding of how the organization currently manages these aspects.

It may be necessary for an appointed DPO to be present, where applicable.

Time allocation: 60-90 minutes, depending on the organization

Part 2: Information Asset Management & Access Control

A review of how the organization provides for inventories of systems, applications and data assets.

This session looks closely at asset classification relevant to EU-GDPR. Appropriate labelling of information assets to meet organizational requirements is also considered.

Access to information and systems is evaluated against the criteria to determine the effectiveness of current measures.

The minimum expectation is for the principle of least privilege to be the governing rule of thumb.

To achieve the best outcomes from this session, the management representatives for IT systems and Access Control need to participate.

This may require engaging with external providers as applicable to the organization.

Time allocation: 60-90 minutes, depending on the organization

Part 3: Supply Chain Security

This session addresses supplier relationships, where external providers may have an impact on information security.

Contractual arrangements come under review to determine the effectiveness of current controls and identify areas for improvement, where applicable.

The Standard Contractual Clauses or "Model Clauses", as promoted by EU-GDPR, are used as a benchmark relevant to organizational requirements.

Importantly, the management representatives responsible for managing supplier relationships need to be available to participate in this session for effective progress to be made.

Time allocation: 60-90 minutes, depending on the organization

Part 4: Incident Response

How the organization determines its incident response activities, resources and planning requirements comes under evaluation in this session.

The focus is on maintaining the confidentiality, integrity and availability of the data being processed.

This session can benefit from the participation of relevant team leaders and department heads, where they are responsible for significant data processing activities, or where there may be areas of concern relevant to incident response.

Time allocation: 45-60 minutes, depending on the organization

Part 5: Business Continuity

The primary focus of this session is to evaluate how the organization provides for business continuity management during a disruptive event.

How specific categories of events are assessed for business continuity requirements, through to testing the abilities of the organization to deliver to those needs, comes into consideration.

As with incident management, relevant personnel need to participate to achieve the best results.

Time allocation: 45-60 minutes, depending on the organization

Part 6: Compliance

Relevant to EU-GDPR and other applicable data protection legislation, the requirements of the organization are considered to determine the effectiveness of the provisions in this regard.

Where applicable, Intellectual Property management is discussed to determine relevant controls.

Internal audit functions, including technical and code reviews, where applicable, are considered.

The importance of an independent review of technical and organizational measures is discussed. (The gap analysis provides for this requirement relevant to ISO 27001 Certification).

Management representatives for compliance, data governance, IT security, etc., need to participate to achieve best outcomes.

It may be necessary for the appointed DPO to be available, where applicable.

Time allocation: 60-90 minutes, depending on the organization

The importance of appropriate organizational controls relevant to people or personnel management cannot be underestimated. Our analysis of people controls for ISO 27002:2021 considers organizational requirements for contractual arrangements, including non-disclosure, responsibilities toward the reporting of information security issues and concerns, responsibilities for information assets, etc.

People controls are evaluated through 2 remote sessions, with participation from the relevant management representatives.

Part 1: People 1

Employee contractual arrangements, training, and internal reporting and disciplinary procedures are reviewed as part of this session.

Provisions for ongoing awareness of information security policies and controls are evaluated.

Changes to terms of employment, changing roles, etc., are also considered.

Participation is required by management representatives who have authority and access to relevant documents and records, for effective progress to be made.

Time allocation: 45-75 minutes, depending on the organization

Part 2: People 2

The terms of non-disclosure relevant to organizational requirements are assessed to determine the effectiveness of established controls.

Also, the significance of information security relevant to remote working is considered to ensure appropriate controls are in place.

Importantly, formal mechanisms for the reporting of information security issues and concerns are assessed for effectiveness.

Management representatives with a full understanding of the data processing requirements of operations, need to participate in this session for good progress to be made.

Time allocation: 30-45 minutes, depending on the organization

Physical and environmental security controls are critical to the information security requirements of any organizatiion. For ISO 27002:2021, the physical controls are provided for through a number of subclauses, which we address in 3 remote sessions.

Video footage of walk-abouts at relevant locations, demonstrating good practice in areas such as perimeter security and access to premises, protection of controlled processing areas, segregated work areas, common areas, etc., can be used to support the gap analysis. In some circumstances, it may be necessary to arrange a location visit to validate specific requirements.

Part 1: Physical Security Controls

In this session we look closely at the physical security requirements for data processing facilities and workplaces.

Perimeter and internal security, protected work areas, document storage, server and comm's rooms, all come under consideration, where applicable.

Monitoring and inspections to evaluate and maintain the effectiveness of physical security controls are also considered at this stage.

To achieve the best results, management representatives with responsibilities for physical security are required to participate.

This may require some input from those with leadership responsibilities in operations, admin, and other organizational functions, as applicable.

Time allocation: 45-60 minuts, depending on the organization

Part 2: Secure Operations

Resourcing information security in operations and data processing is the main consideration for this session.

At this stage, we evaluate the effectiveness of established controls for continued suitability and effectiveness.

Siting of equipment, clear desk and clear screen controls are considered, where appropriate.

Where the organization processes or stores data at off-site or at secondary locations, information security controls are considered relevant to the needs of the organization.

Management representatives with responsibilities toward physical security, IT security and operations will be required to provide input into this session in order to achieve best outcomes.

Time allocation: 30-60 minutes, depending on the organization

Part 3: Media & Equipment Security

In this session, we evaluate the effectiveness of established information security controls for the management of data storage and repositories, cabling and routing, and the provision of utilities and other critical services necessary for effective operations.

In addition, we evaluate how the organization maintains and disposes of information assets at end-of-life or through planned purges, etc.

To achieve the best results, participation is required from management representatives with responsibilities for maintaining information systems, and the subsequent disposal of information assets, whether data or physical assets.

Time allocation: 45-60 minutes, depending on the organization

A total of 8 remote sessions are required to cover the criteria of this section of the ISO 27002:2021 Standard, which addresses the criteria for the technical measures required for the organization, relevant to both the Standard and EU-GDPR.

For each session, management representatives responsible for IT systems, access and control, are required to participate. External providers with responsibilities toward these aspects may also need to participate to achieve best outcomes.

Part 1: Endpoint Security

Reference: Information Asset Management & Access Control (Above)

In this session we review the established controls over information assets, relevant to the classification scheme adopted by the organization, and other considerations determined when we looked at Organization Controls for asset management and access control.