ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4148
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 ISO 9001 Risk Assessment Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Certification ISO 14001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Guidance on Missing ISMS Documentation and Implementation Drafts

    1. We have the initial audit with external agencies to get the accreditation, and an agenda for the one-day assessment on November 21st has been sent to us. Please find the attached image which details the ISMS Document review. However, we are missing documents for Compliance, Operational Security, Communication, Development Security, Incident Processes, and Business Continuity Management. Could you please confirm if there are drafts available or advise on how to proceed, as I'm unable to locate them in the Conformio tool? Your guidance on this matter would be greatly appreciated.

    2. Additionally, for ISMS Implementation, there is a requirement for Design, Development & Test, and Facility and Asset Management. I have checked the documents, as well as the Conformio tool, but I couldn't find any drafts pertaining to these areas. Can you please advise on this?

  • Audit report

    Can the audit report serve as the obligatory documentation of audit program and audit result?

  • Question on risk register and selection of the assets

    I have a question about which assets to select in the risk register, for instance, in the IT and communication equipment category. We certify Company A, which is a subsidiary of Company B. The equipment Company A uses (server rooms, servers, desktop computers, notebooks, and small stuff) belongs to the Company B and Company A rents it. The alarm system and key cards are also provided by the Company B for the subsidiaries. Do we only select assets that are owned by Company A, or all assets that are used by Company A?

  • Physical Security (A.11)

    I can't find anything on Physical Security (A.11).
    Only A.11.1.5 has been described.

  • ISO 27001 Package of Documents

    In our pack of documents I was looking for a Policy on Privacy and Protection and any procedures that are in our pack but couldn't see anything, are you able to help?

  • Initial Risk Assessment Non-conformity

    At our last surveillance audit our assessor raised a non-conformity on the basis that our initial risk assessment, showing many of the risks as being acceptable i.e. scoring less than 3, did not show any justification for why we made that assessment and Conformio doesn’t require that. Our assessment would have been based on the controls etc already in place at that time.

    Obviously, you are of the view that when making the initial assessment, it’s not necessary for us to record why we make that assessment.  What is the reasoning behind this?

  • ISO 27001 / ISO 22301 Tools for Consultants in German

    I'm currently working with your documents and came across the following issue:

    In the overview of all documents (pdf) there are links from the different documents to the relevant sections of the standard/norm. 

    If I turn around this linkage, I'm surprised that there is no link to any of the documents for the following Appendix A controls: 

    A.5.1 Informationssicherheitsrichtlinien
    A.5.2 Informationssicherheitsrollen und -verantwortlichkeiten
    A.5.3 Aufgabentrennung
    A.5.6 Kontakt mit speziellen Interessensgruppen
    A.5.8 Informationssicherheit im Projektmanagement
    A.5.34 Datenschutz und Schutz personenbezogener Daten (pbD)
    A.5.36 Einhaltung von Richtlinien, Vorschriften und Normen für die Informationssicherheit
    A.7.1 Physische Sicherheitsperimeter
    A.7.2 Physischer Zutritt
    A.7.4 Physische Sicherheitsüberwachung
    A.7.5 Schutz vor physischen und umweltbedingten Bedrohungen
    A.7.8 Platzierung und Schutz von Geräten und Betriebsmitteln
    A.7.11 Versorgungseinrichtungen
    A.7.12 Sicherheit der Verkabelung
    A.7.13 Instandhaltung von Geräten und Betriebsmitteln
    That means those controls wouldn't be handled anywhere in the future ISMS documentation !?

    Can that be true?

  • 22301 certification

    We had ourselves certified according to ISO 27001 this year, which also includes a “small” BCM. How big is the additional effort if you want to be certified according to ISO 22301? So it's not the costs incurred by the certification body but rather the internal costs?

  • Toolkit documents

    Forgive my zero knowledge of ISO2001. I am doing the audit finding but didn’t find the template I needed in the Toolkit. 

    Example:- 

    Subject: Information security roles and responsibilities.
    Description: All information security responsibilities shall be defined and allocated.

    Thank you in advance.
Page 3 of 542 pages