ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit AS9100 Product: EU GDPR Documentation Toolkit
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Surveillance audit

    I do have a query regarding the ISO 27001:2022 standard.

    In 2021, we successfully conducted an ISO Audit based on the ISO 27001:2013 standards. As the date for our surveillance audit approaches, we are seeking clarification regarding the standards to be followed. Our Surveillance audit is due on 10 August 2023.

    Considering the recent updates to ISO standards according to ISO 27001:2022, we would like to confirm whether we can continue with the surveillance audit according to the ISO 27001:2013 standards or if is it necessary for us to update our processes to comply with the ISO 27001:2022 standards.

    Thank you for your attention to our inquiry. Looking forward to your reply.

  • Handling accidents

    Please advise me, which part speak about how to handle when accident happened, accident management, how to lead workers, outsource company, fireman’s etc?

  • Questions about implementation

    I have some questions if that's okay! See below:

    What documents should we be including under the ISMS? Should the scope mainly include policies and procedures or should we be including all client/supplier contracts, day to day project documents eg. cost estimates / statement of works etc.

    Double check internal annual audit - does this need to happen every year? if so, when does this happen e.g., every year from certification? (in our case, we're looking to be certified Sept 2023, so Sept 2024 would be the next internal audit). Is there any leniency on it being 12 months versus 18 months for example?

    Remote working policy - this is more general advice, but do we need to add how we manage people working abroad, as they need to be able to work from wherever they can on business which can sometimes mean in a coffee shop or workspace, which we advise against when working in London for security reasons. What do others usually suggest here?

    Again, this is more seeking advice, but should client infrastructure be covered under our ISMS scope? We currently are excluding them as we feel we would be covered under their own security policies but just wanted to double check that's accurate/ what the standard is?

    Thanks very much!

  • Clause 7.4 Communication Register

    Dear Team - how can we generate a communication register for the 7.4 clause? We were asked for Communication Register.

  • How to efficiently plan the audit

    Compliments of the season to you. I have been following you for over a year now. I have watched your videos, bought   your book on how to implement ISO 27001, and attended your Webinars.

    My company just posted numerous positions for Intermediate 'Security Auditor' (With focus on ISO 27001) and I asked them if I can join the team to start gaining experience.. Their response is that I don't have any experience, though I have the training and certification (PECB Provisional Auditor ISO/IEC 27001, ISACA Cybersecurity Certificate and ISACA IT Audit Fundamentals). I am currently working as a Security Analyst..

    How can I gain Audit experience to prepare for such opportunities or even start consultancy job?

  • Supporting documentation for training

    We are looking to train our employees on ISO 27001 and wondered if there is any supporting documentation that we can provide and upload on our company intranet and HRIS system?

  • Processo de adequação à ISO 27001

    Como iniciamos o processo de forma a não gerar retrabalho no futuro e para que consigamos implementar o ISMS de forma útil para a empresa?

  • ISO 27001 compliance process

    How do we start the process so as not to generate rework in the future and so that we can implement the ISMS in a useful way for the company?

  • Questions

    1. We are a rather small start-up company with about 50 employees, manufacturing a product with both hardware and software.

    We do not have a CISO or an IT manager, just myself as the ICT lead to do all IT and Security related tasks.

    What should we put in the documentation instead of CISO?
    Or should we write somewhere that wherever it says CISO that would be the ICT lead acting as the CISO?
    Or alternatively should we only include job titles that we actually have in the company?
    I am not sure how to present this in the documentation and audit.

    2. One of our team members looking at the risk part of our ISO 27001 plan suggested we combine 06.1_Appendix_1_Risk_Assessment & 06.2_Appendix_2_Risk_Treatment because:
    1) they include a lot of the same columns.
    2) you can use filter instead of copy pasting those risks that need treatment. Copy pasting between tables is error prone.

    Does the standard require these tables to be seperate?
    Can you explain why these are separate in the toolkit?
    Any other comments will be very welcome.
Page 13 of 544 pages