ISO 27001 & 22301 - Expert Advice Community

Scope definition

In your opinion if several registered entities with different natures of business (e.g., data operator, business optimisation consultancy, publication house, and a financial service provider) are part of a registered holding company, how do you determine the ISMS scope, would it pass an ISO audit if the holding company drafted an Acceptable Use Policy or Wi-Fi AUP with expectation of a "one size fits all" entities?

Or would each entity have to have a separate policy that aligns to the holding company's security objectives as far as it applicable to them on an individual basis?

Compliance Manager

I work for a small company (33 employees) that is ISO 27001 and 27701 certified. We use SharePoint for document storage. Version control is documented manually on every procedure, policy, template, checklist, and training material in our company. In other words every time we update a process or materially change the content, we increment the version number, list the change, the date, and who approved it in the document. Each team has a Controlled Documents List to manage the documents for their team. This process is quite labor intensive, as we track changes and keep historical versions of each document, etc. It really is impeding the progress of keeping our documents up to date. With all this in mind, we are thinking of simplifying the process for documents that are not directly related to ISMS and PIMS. For example, is all this really necessary for the Sales Team process to create a proposal or for the Customer Care Team process to provide support for a customer using our software?

27001 audits

How would I audit a large company who holds their ISMS processes at their head office but have 120 sub sites who mainly only supply construction work for the company. Head office is in *** and about 60 sub sites in ***. My point is, as far as the ISMS is concerned it is operated from the Head office who hold all the clients’ data.

Question from ISO 27001 Foundations Course

When talking about interested parties in clause 4.2. The video starts with saying it is Required to Document interested parties and their Information Security requirements. By the end of the video he says Clause 4.2 requires this analysis to be conducted but not documented. Can this be corrected or documented below the video? Many of the questions on the test cover what is required and not required to be documented, so this just adds to the confusion.

Links between 14001, 27001 and 45001

The real question is are there natural linkages between 14001, 27001 and 45001 that can be built upon in developing the operating systems environment that you want to achieve, and satisfy the requirements of the three in the process. This is what we need to ensure that we're asking the best questions and tasking the people in the right direction. We look forward, not at lagging indicators, but at guiding science.

Special Interest Groups

For ISO27001 a.6.1.4, what would be some examples of special interest groups?

SOA Based ISMS Manual

We have now taken the first steps, but are still waiting for the release of the ISO standard for 2022.

We also want to align our SOA with this new version. I intend to structure the SOA in such a way that I have a high-level document that only contains the controls and the selection including the justification - the document is also available to customers because they have already asked for it in the certification process. The 2nd level describes the requirements from the standard and our planned and implemented implementation in more concrete terms - this also results in a kind of "Security Management Manual".

I have attached an initial draft for A5 (Organizational Controls) (2022). What do you think of it, does this procedure suit an auditor?

Position Description Question

I wanted to touch base with you about a quick question. This is about ISO27001 control regarding stipulating Information Security obligations in Position Descriptions.

We are an ISO-27001:2013 compliant company and we have generic Info Sec roles and responsibilities articulated in our Position Description.

I wanted to know if there is a need to articulate role-specific Info Sec roles and responsibilities as well in PD’s. For example, a Backup Engineer’s Info Sec roles and responsibilities would be different than that of a Network Engineer. Some views in our company are that it would be overkill as ISO doesn’t mandate going into such details.

Necessity to include specific user

Hi, as an IT Security Engineer I am the "Project Manager" for our company (as a role in Conformio). We have a senior project manager at our company as a consultant for ISO27001. He is sporadically consulted on our documents due to his experience in ISO certification. Do we need to include him in our Conformio and documentation or not with regard to the ISO27001 standard or not?

HR as asset and risk owner of SA

Could you elaborate a little bit more on this one?

How HR is asset and risk owner of SA, and the threat is social engineering.