ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Business continuity in EU

    Hello, I am looking for laws and regulations on 'industry sector' and business continuity in EU
    I am interested in BC of critical infrastructures in a industrial big organisation.

  • Business continuity procedures

    Is this the right document template from the Toolkit for the mandatory document required by ISO 27001 for Business continuity procedures (A.17.1.2.):


  • ISO 27001 / ISO 22301 Disaster Recovery Plan

    Hi guys. I just bought the Disaster Recovery Plan and want to use it with combined ISO27k/22301/GDPR documentation that I'm working on. I noticed there are four documents. Which one would you recommend for this?

  • Risk treatment

    Regarding the theft of a laptop form a car, while the policy can prohibit leaving a laptop in a car, thus preventing probability of theft, how does a backup or encryption lower the probability of theft? It merely lowers the impact when the theft occurs, but not the probability of theft. The thief does not know the data is backed up or encrypted, and usually doesn´t care because he most often is after the hardware for resale, not the data.

  • Excel Template Programming

    Where can I find details on what has been programmed into the excel templates, and where is maintenance documented? Specifically, in risk treatment, how change method, coloring and warning messages? Thanks.

  • Checklist ISO 22301: 2019 content

    I was really happy when I found the "Checklist of ISO22301:2019 mandatory documentation" since that contains what is mandatory and what is not.
    However, when looking at chapter 2 in the list, it says that a post-exercise report is not mandatory.
    When I look in the corresponding clause in the standard (8.5), it says:
    "The organization shall conduct exercises and tests that:
    e) produce formalized post-exercise reports that contain outcomes, recommendations and actions to implement improvements;"

    To me, this implies that a post-exercise report IS mandatory...
    Please elaborate your way of interpretation.

  • BCP

    I need to know what are the components and structure required to document a BCP from ISO 22301: 2019 perspective I am not interested in certification at this stage I am more interested what does my organisation requires to assert what is required as a structure to document BCP though we already have a BCP plan in place etc but we need to know from ISO 22301: 2019 what it requires to document a BCP and accordingly I will revisit what we have in house already ok.

  • Statement of acceptance document

    I have a question regarding the statement of acceptance document. It is stated that all employees need to sign this document, is this including the managing director and also non-IT employees? Also board members? Or do only IT employees of the organization sign the document

  • ISO 27001 re-certification

    My registrar is telling me I have to have my recertification in December. My ISO cert will expire on Feb 13, 2021. We don't want an audit in the middle of the holidays due to limited availability (so much vacation). Why does it have to be two months prior if my cert is good through February?

  • A.12.5.1 Vs A.12.6.2

    I would like to clarify on document required against Annexure A ControlsA-12.5.1 and A-12.6.2

    We have a written document against A.12.6.2 which specifies

        Users cannot install any software
        Only IT can install software
        All software to be approved by IT
        Software installation by end-users requires exception with risk impact.

    Is there a separate document required against A.12.5.1?

Page 1 of 360 pages