ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Revisione

    Good evening,

    the inspector who will carry out the audit reported the following documents to us:
    Organization chart,
    Integrated System Manual (or equivalent),
    Information security policy,
    Context analysis,
    Applicability statement,
    Risk analysis,
    Asset List,
    Continuity Plan,
    Disaster Recovery,
    Last Management Review.
    Internal Audit Results and Reports.
    Do you have any information on those documents that they have requested from us but which are not present in the kit?

  • Statement of Applicability

    We also just have a question re the risk treatment template. Appendix 2 - Risk Treatment Table allows for a single control per risk identified. If we believe multiple controls are applicable on some risks above the risk threshold, should they be documented? Or is it a case of just listing the most important single control and leaving the others for the Statement of Applicability. Thanks

  • Control procedure

    I do have some questions related to implementation of the ISO27001, for example we already have document control procedure based on the ISO 9001 do I update it to reflect the ISO 27001 or have a standalone document control procedure based on the ISO 27001. I do need this clarification

  • Questions regarding ISO27001 documentation

    I’m writing to you on behalf of the company *** and its CEO ***, who bought the ISO27001 toolkit.

    Here are some questions I would like to ask.

    1 -         In the pack that we bought, we can’t find the document regarding Business Continuity Strategy. First I thought that it is the same as the Disaster Recovery Procedure but after having a look here, I found out that this is not the case. Could we receive a .doc italian version of this document, like we did for the rest?

    2 -         All along the instructions we can see that the documents refer to clauses (e.g. A.17.2.1, 7.5…). These clauses sometimes match with the code of controls, other times they don’t. Do these clauses refer to controls or not? If yes, why don't they always match? If not, what do they refer to and is there a list of clauses?

    3 -         In our documents we put the reference documents towards the end of the documents in the same table with the records. Is that ok or is it better to separate them and put the Reference documents at the beginning of the documents like you did?

    4 -         In some of our documents/politics we describe the Violations of the Politics in a dedicated paragraph while in your documents we don’t find them. Can we keep these paragraphs regarding Politics Violation or not?

    5 -         Can we put a document/section with the Organisation chart emphasising the key figures with responsible roles in ISMS? And linked to this topic two more questions: could we use a RACI matrix in the documents?  Could you suggest the best way to call these figures in Italian?

    Thank you in advance for your help and have a nice weekend.

  • AML-ISO 27001

    Hello, I have a question regarding the ISO 27001 certificate, does this certificate include AML policies?

  • ISO27001 Lead Implementer Training


    I recognise that the exam for the course provided by Advisera is "accredited" by Exemplar Global but there seem to be several ISO27001 Lead Implementer qualifications provided by and accredited by various companies.

    Are these qualifications benchmarked against each other to ensure they are the same level of detail/difficulty?  

    Also, having passed the exam can you state you are an "ISO27001 Lead Implementer" or do you need to demonstrate some level of practice in the industry (in the same way as the CISSP and CISM qualifications) to an over arching body?

    I really like the content and having completed the Foundation exam am keen to proceed with the Lead, I'd just like to check my understanding of what this gives me.

    Best regards


  • Documenting processes in the ISMS

    how exactly do the individual ISMS processes need to be mapped? E.g., is it enough to write "HR" or do I have to explain every step of for example the process "managing employees"?

  • Mudanças no documento

    Ola Dejan, grato pela resposta.

    Permita-me uma outra pergunta: com a pandemia, foi revista a política de dispositivo móvel? Ela tem alguns pontos onde certamente não cumprimos pela emergência de colocarmos funcionários em Homeoffice. Como a versão que possuo é de 2015, houve alguma alteração?

  • Documents required from support/CSM perspective

    Could you advise what documents would be required from a support/CSM perspective, please

  • Requirements to satisfy the requirements of ISO 27001?

     completed this training already and I enjoyed it.

    Quite a lot of this content was a ‘common sense’ for someone who works in the field, but it will be new to other staff members and my ISO 27001 team members.

    I’m just wondering if this training plus our GDPR e-learning and an annual refresher would be enough to satisfy the requirements of ISO 27001?

    I think some input on policies and procedures would be required too.

Page 1 of 471 pages