ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Procedure for document and record control

    is it best practice to have the CEO approving the control of documents? my worry is the CEO to become a bottle nick for the organization since he have to review any changes to the documents. please clairify.

  • Statement of Acceptance of Residual Risks

    I dont think this statement makes sense " Statement of Acceptance of Residual Risks – a document specifying unacceptable risks for which an effective treatment has not been found " and It should read like "a document specifiying acceptable risks....." 

  • Register of legal, contractual and other requirements


    Could you please what do you need exactly here, what are the requiremnts for the " Register of legal, contractual and other requirements " in detalis 


    Thank you,

  • Procedure for document and record control


    Good Morning,

    could be tell me what do you guys excatly want from the Procedure for document and record control document ? 

    in details please + I got couple of questions too, my scope is the whole organization, " This procedure is applied to all documents and records related to the ISMS ", so in my case is it all company's documents ? 

    Document approval 

    I understood that the CEO must approve all documents and is there something else ?

    3.3. Publishing and distributing documents; withdrawal from use

    There are some parts conformio is mentioned there I dont thing this is a professional way for the word " confirmo " is written there, " the Conformio platform will automatically inform all employees listed as users of the document by email...."


    tell me more about record control and also document of external origin what do you want from me exaclty, I could not figure it out.


    Thank you in advance,

  • Ativos

    Please clarify a question for me.

    Can an information system be composed of: information security management system procedures and policies, hardware, software, networks, data, documents and facilities and people?

  • ISO 27001 Internal Audits

    We are an IT Service provider in the healthcare industry and have different internal IT teams. We have an IT Field Engineering team, Data Centre, Directory Services, Networks and Telecoms, IT Server team, Project Management Office (PMO) teams etc. These are all specialist teams and their members are SMEs in their field they know the benefits of ISO 27001 and are committed to helping us the Compliance Team however auditing these technical experts from clauses 4 – 10 is a challenge.

    So, what we have been doing auditing these internal teams from the controls of Annex A we created a template around these controls. Each team is audited around these controls for example

    A6.1.2 Segregation of Duties

    A8 Assets

    A9 User Access Management

    A11 Physical & Environment Security

    A12 Operations

    A15 Suppliers

    A16 Information Security Incidents etc

    However, during the recent Surveillance audit, the external auditor issued a non-conformity saying.

    “Audits conducted to date have covered service delivery: to date, there has been no audit to conformity with ISO27001 clauses 4-10”

    My question is these technical people don’t know what is in clauses 4 -10 of ISO27001. How should we audit them from clauses of the standard? For example, they don’t know the basic questions

    Are relevant internal and external issues that can affect an organization's ISMS identified?

    Are all relevant interested parties identified, together with their requirements?

    Is top-level Information security policy documented?

    Are management reviews performed as planned?

    Is the Risk Assessment and Risk Treatment Methodology reviewed before the regular review of existing risk assessment?

    The only option we can see is if someone within the organization who is independent audits us The Compliance team from Clause 4 – 10 and we continue auditing technical teams from Annex A controls. Please advise if this approach is sufficient to improve our auditing process. Many thanks, Ash

  • Automated Firewall Review

    We are a SaaS-based company and we are hosted on AWS cloud. Hence we use AWS Security groups which act as virtual firewalls. We have multiple security groups. One of the controls in ISO is that a Firewall review needs to be performed. The traditional approach is that the Firewall owner reviews the rules and provides sign-off off etc. However, since we have multiple security groups it becomes difficult to review each. We have implemented a CIS benchmark tailored for AWS. Deploy regular scans on AWS Security Groups, using parameters established by the CIS benchmark. The focus is on detecting potential misconfigurations, especially in the context of publicly open ports, ensuring a robust defence against unauthorized access. Weekly reports are generated and sent to the team.

    My question is as part of an audit. Can this evidence suffice since we have automated the process of firewall review and not perform manual review?

  • Choose to Not implement a security control

    I am a bit conflicted about this and need to hear what you think. I have asked Experta but I am stil not sure. Feels like there must be a clear answer to this. So my question is... can I (according to iso27001) choose to Not implement a security control from annex A even if I can see a risk with not implementing it? If we identify the risk but choose to accept the risk without any mitigating actions. In this case there won't be any risk treatment plans to connect to the Security control. The risk is accepted by the company and we choose Not Implemented and no plans to implement. The risk and security control will be re-evaluated yearly. Is this okay or what should we do with the security control if we only have one or several risks linked to it that are accepted without further actions?

    The reason to Not Implement could be that the risk is very very low, very very unlikely and/or would cost more to implement than the consequence of the risk.  

  • Business continuity plan, RTO and MTPD

    In our BCP for external threats like Cyber Attacks it is mentioned that "RTO is not applicable in this case, however it is recommended to contain the threat within a defined period" so the MTPD for such kind of disruptions is 2 hour but it took us more than 4 days to resume all critical systems and services , what do you guys thing should I raise a non conformity for this.


  • Information Security Goals

    Please help me sample examples of information security goals that can be easily measured. Thank you so much!

Page 1 of 542 pages