ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Can we be GDPR and ISO 27001 compliant with 1 employee?

    Can we be gdpr and iso27001 compliant with 1 employee? 2 employees? And working with freelancers/consultants


  • Including SOC 2 controls in SoA

    I hope you're doing well. I watched the ISO 27001 Lead Auditor Exam training videos and found them to be very useful! Thank you for offering this free training. I am leading the ISO 27001 internal audit efforts at my company for the first time this year and wanted to seek your guidance. Our company's ISMS is ISO 27001 certified and we also have a SOC 2 Type 1 certification.

    1. Are we required to include the SOC2 controls in the ISO 27001 Statement of Applicability?

    2. If we were to add all of the SOC2 controls this year, would all these controls be tested during this year's external surveillance audit? I'm planning out the scope of the internal audit and which controls to test, but we have limited resources and time. It seems duplicative to me to include the SOC2 controls since those are tested independently as part of the SOC2 audit. I understand an internal audit is not required for the SOC2 certification, but I see the benefit of performing an internal review to identify issues that could be mitigated before the SOC2 cert audit.

  • ISO 27001 confidentiality

    Which section of iso 27001 mentioned o confidentiality?

  • Documenting Statement of Applicability

    1. How to start documenting Statement of Applicability.

    2. What approach to follow?

    3. Who all should one interact with?


  • Critical areas to prioritize focus during implementation

    What are the more critical areas to prioritize focus during implementation?

  • Recommended system/application to control documents, incidents and other stuff from ISO standards

    What system/application you recommend to control documents, incidents and other stuff from ISO standards?

  • The best KPIs for monitoring metrics

    What KPIs will be the best to choose for monitoring metrics?

  • Business relevant data

    The question is: what is considered ‘business-relevant data’ as mentioned in the document ‘A.8.2 IT Security Policy’ and is there a list that we can use to help us identify instances of this?

  • Implementation issues

    1. What implementation issues do you usually have?

    2. Do you have implementation shortcuts that helps you streamline an implementation?

  • Best methodology for information security risk assessment

    1. What is the best methodology for an information security risk assessment?

    2. How to ensure if privacy principles are dealt with in accordance with relevant legislation and regulations? If the client says that he is performing an assessment to ensure he is in line with the DPA, is this information enough to make him compliant with clause 18.1.4?

Page 1 of 440 pages