ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit AS9100 Product: EU GDPR Documentation Toolkit
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 query

    1. Can I seek your advise on the how much is the RTO usually set for a company offering SaaS based solutions? Does the ISO 22301 define any times? I understand that it depends on various org-specific factors, but want to get a idea on industry best practices.

    2. We also had the below queries relating to BYOD, in case we want to implement a BYOD policy:

    Should the organisation ensure an anti-malware / anti-virus solution has been installed on all personal devices?

    3. What are the minimum device management controls that the org should have control over?

    I understand that these are not specifically defined in the ISO 27001 standard, and therefore need your advise on what controls are considered bare minimum, and as per industry best practices, to help us pass the certification.

  • Secure coding

    Isn’t there a layer 2 as procedures and principles ?

    1.1. Secure coding
    [Job title] will issue procedures for secure coding of information system, both for the development of new systems and for the maintenance of the existing systems, as well as set the minimum secure coding practices that must be complied with.

    The same secure coding principles will be applied to outsourced development, and defined through the contracts as defined in [Supplier Security Policy].

  • Information Security Plan

    <I need guidance on the preparation of the Information Security Plan. It would basically be what is an Information Security Plan and what is its structure.

  • How to make company auditor?

    How to make my company as authorized certifier to do auditing?

  • ISO 27001:2022 mandatory documents and records

    I have bought your toolkit in the past and am preparing a ISO27001 2022 implementation and certification.

     I want to get a clear picture of which documents and records are mandatory.
     
    1 - I have read your webpage article on: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-revision
    and the content of “List_of_documents_ISO_27001_2022_Documentation_Toolkit_EN.pdf”.  If I understand it correctly they both relate to ISO 27001 2022. Correct?

    2 - Can you explain to me why i.e information classification policy, confidentiality statement, training and awareness are mentioned as mandatory in the PDF file and is NOT listed as mandatory on the webpage?

  • Clarification about controls of ISO 27001:2022

    IRCA circulars and publications refer to controls of this standard with prefix “A.”;e.g. A.5.34, A.7.1 etc. This was the practice in ISO 27001:2013 also.

    The 2022 release of the standard itself refers to them without such prefix. I would like to refer them with the prefix as otherwise controls like 7.1, 8.2. 5.3 etc may be confused with corresponding clauses.

    Is there any other logic in favour of referring the controls with prefix “A.”? While browsing the internet we see that both styles are being followed.

  • Questions about toolkit templates

    1. In document 04-Information Security Policy, the item "4.4 Business Continuity" of the document index does not appear in the body of the document, please indicate if we remove this point from the index or you send the text of the missing part?

    2. For the appointment of the security officer and security committee, do you have a standard document that allows us to carry out the board of directors minutes for the appointment, and the appointment of the role or position to the corresponding person or if this is going to be a external entity that provides the consulting service?

  • Internal audit section of ISO 27001:2022

    This might come across as a silly question, but in the project checklist in the ISO toolkit, there is a section dedicated to operating and monitoring the ISMS. What actually needs to be completed under this process, just so I'm very clear and able to advise the project team?

  • ISO 27001 Internal Auditor Course Question

    Wrt the Q/A listed below. I cannot see the relevance of the Question to the section being discussed Module 9 "Document Review"

    Document review - quiz question

    Not sure I follow the answer (2) to this question in context of Document Review

    Q: When performing the document review you must take into account:
    1. Only the context of the organization, including its size and complexity. – Incorrect! These are not the only elements that should be considered when performing the document review.
    2. The risks and opportunities associated to the context of the organization. – Correct!
    3. The clause order of the ISO standard, so you can follow the exact sequence during the document review. – Incorrect! It is not mandatory to follow the sequence of the clauses of an ISO standard, you must follow the sequence that you believe is the most efficient and effective.
    4. All the above. – Incorrect! a) and c) are not correct statements.

    Please explain
Page 22 of 544 pages