ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

  • Control implementation

     We have passed the stage 1 of ISO 27001, one of the minor finding we should have Secure system engineering principles, as we develop a software.

    I checked in your documentation of ISO 27001, there is no Secure system Engineering policy and procedure. Could you provide some guidance what should be written?

  • Communication plan

    I’m seeking information on a communication plan template in the Advisera’s ISO Toolkit 27001_22301. 

    I read this article and now I’m trying to locate the template.


  • Template content - information classification policy

    Control A.8.1.1 is missing in reference documents of „Richtlinie_zur_Klassifizierung_von_Informationen_DE“. Inside the "Erklaerung_zur_Anwendbarkeit_DE" control A.8.1.1 includes the „Richtlinie_zur_Klassifizierung_von_Informationen_DE“ as implementation method.

    Would you mind telling me what’s correct?

  • Awareness and training for secure software development

    I have a question about the appendix of the policy for safe development - the specification of safety requirements. I try to add the appendix into the risk treatment plan. What is the measure for awareness and what is the method for evaluating results? Who will have access to the document?

  • Implementation of policies

    We are now starting the implementation of Information Security ISO 27001. I am on the phase of preparing control implementation of the policies. I'm facing difficulties, with start working on it.

  • ISO 27001 toolkit - which standard is it compliant with?

    What is the version of ISO 27001 that your documentation is compliant with?

  • ISO/IEC 27701 Privacy information management standard

    I just viewed the ISO/IEC 27701 Privacy information management standard (First edition 2019-08) and I have learned that there are more than some minor modifications. In the Advisera documentation kit ISO27001/GDPR, I do not see (yet) anything about this. 
    Do you have an idea how to best deal with this, I do not find anything on the Advisera website about it (unless I have overlooked something)? Will there be a publication and/or webinar/additional documentation available (can be payable) in the near future from Advisera part?"

  • Action plan for non-conformity

    How to prepare an action plan after external auditor has given minor NC?

  • E-mail use

    I have the following question regarding a decision which impacts the ISO27001:

    The owner/management (small company) has a company e-mail addresses. The owner does not like working with the company e-mail solution, so he wants to automatically forward the incoming e-mails from his company inbox to his private email account (with Gmail). Additionally, he wants to send E-mails from his private email account where the sender will be shown as his company email. The use of private email addresses is generally prohibited (currently implementing policy for employees etc.). Is it possible to create an exclusion in the policies for the owner/CEO and what other implications does this e-mail forwarding/relay have with regard to the ISO27001 certification? The whole company is in the ISMS scope, but not the mentioned private email account.

  • Vendor risk management career

    I am in the process of building my career into Vendor Risk Management so wanted to check on what could help me be a better auditor and how to achieve my Goal.

Page 1 of 333 pages