ISO 27001 & 22301 - Expert Advice Community

Question about SMCA

Hello, I have a concern about the determination of activities, products and services. I would like to take a practical case of an organization whose sole activity is to operate and maintain the IT system of a bank. the Bank retains 3 critical processes that must never be interrupted: customer management, credit management, collection

We want to do the SMCA (Système de Management de la Continuité d'Activité) for the Bank's computer system. What to remember in the products and services of the SSSI (Société de Services en Systèmes d'Informations)?
i) Product: Computer System, Services: Management and maintenance of the Computer System, customer management, credit management, collection
ii) Product: IT system, Services: customer management, credit management, collection
iii) Product: Computer System, Services: Management and maintenance of the Computer System

Scope (locations and addresses)

With regards to the scope, there is a section around location. Our client’s registered location is the CEO’s house address which we wouldn’t want to include as the location. All the users work remotely in different places. How do we deal with such a scenario? Is there a way to exclude location?

Register of Requirements

Can you provide me with how to write contracts and regulations for contracts, and is it between IT management and other employees in the same company? 

Another question,  for example, Microsoft a software company (license and terms of use) the contracts between the IT department 

Another question,  for example, Microsoft a software company (license and terms of use) the contracts between the employment in compatibility? Please write an answer with details How to structure writing contracts with examples.

ISO 27001 and minor non-conformities

We had a question come up regarding ISO 27001 and minor non-conformities. I’ll enter it below hoping that someone from the training team may be able to answer it for us.

Question we have;

We have a certified facility that had a few minor non-conformities during its last surveillance audit.
The audit provider gave the ISMS team until June 2023 to address them. They had 90 days to supply a fix.
Did that mean they needed to report back to the auditor with the remediation by June?
Or do they need to provide evidence that they were addressed by June at their next Audit coming up in March 2024?

So, does that ISMS team need to proactivity reach out to their auditor with the evidence that the non-conformities have been fixed?

Labelling information

Quick question on the requirement to classify and label information. Are we expected to do this for all historical documentation as well as documentation moving forward?

Infosec responsibility for BCP from an IT perspective

is it logical to have the IT responsivity on BCP led by the Infosec team?

Question around contractual and legal requirements

Will the organisation have to go through each agreement and determine? If so, this may be a time consuming exercise?

ISO27001-cryptographic control

1 - Would you be so kind to explain to me why I see differences between your explanation here: https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/

and my paper version of 27001 - there is Cryptographic control defined under A.10.1.

I have iso 27001:2013

In your text there is mentioned A.8.24

2 - my second question is - can you recommend me any webpage where can I see any example of cryptographic control. thank you

Migration from the 2013 to the 2022 documents

I am currently working on a project with a client attempting to get them ISO 27001:2022 certified. The project started in mid 2020 and we took over the project late last year and are using the 2013 version of the templates however, we are not sure whether we need to use the 2022 transition documents to update their project or whether we can stay on the 2013 iteration of the standard for their certification later on in the year. 

If you need any further context regarding the project, please let me know.