ISO 27001 & 22301 - Expert Advice Community

Asset and Risk Owners - can it be a role and also a name of an employee

In the asset and risk registers, can the asset owner and risk owner be both a role (like IT Manager) and also the name of a specific employee? Or does it have to be one of those and cannot be the other?

A.15.2.2 Managing changes to supplier services

I have read the implementation guidance in ISO 2002 but I am still not sure of what type of controls we should implement to be compliant with the control A.15.2.2 (ISO27001:2013). I understand that this is regarding changes in supplier agreements and/or Terms and conditions, changes in how our company uses the supplier services etc. Could anyone share how you have implemented this control? We have a non conformance from our recent audit regarding this hence my question. 

Thank you in advance!

Risk Treatment Advice

Hello,

We are a small IT co. currently at Risk Treatment stage. IT manager has now become engaged in more detail and suggesting that we accept all suggested controls automatically generated for each risk. Understandably, his thinking is that it is safer to be comprehensive and many controls will be selected in other risks anyway. I think that there is a danger here that explaining any given control applied to a risk might look like 'box ticking' if the control is not really applicable/relevant to the particular risk.
Example; one risk/threat pair  'Rules for mobile devices not defined/theft, vandalism, or sabotage' offers 32 controls.If we have to explain/justify each of these controls in SoA that seems a lot of work and some justifications may be thin? This is just 1 of 114 risks he has selected for application of controls, so we may be creating a huge mountain to climb?

Any advice/guidance on this appreciated. 

Scope

In the case of a group of three companies (A, B, C), company A is to be certified. All three companies have their own, independent customers and suppliers. The servers and network components of all three companies are located in the data center of company A. How must the SCOPE of company A be described if the servers and network components of companies B and C are NOT to be part of the certification?

Internal audit checklist and report combined

What will be doing is using the checklist to carry out the iso27001 Internal audit. As you know the checklist has a section that says evidence I will write where I got the evidence who I interviewed medium etc.

What I am however doing is after each section of the checklist for eg context of the organisation 

I have combined the report there for example after each major section after answering collecting the evidence I have done this.

I have basically combined the audit checklist and the report. I'll send a screenshot. Please let me know what if this fulfill requirements of audit and audit report. Programme I have already please see screenshot.

Many thanks my guess combining them is fine just double checking. 

ISO 27001 Clause 4 - Scope

In respect of scope location, would you include remote working eg coffee shop/airport? I would like to include homeworking, but I feel ad-hoc remote working may be a step too far in the scope. What would be best practice here please?

Certification for both 9001 and 27001

I actually have one question /clarification based one what I read which confirms that it is possible to get certified for both 9001 and 27001 at the same time. I would like to get clarification on how both projects would be done concurrently and/or together. What are the common activities / interview meetings / deliverables?  Can a department interview approach be taken? Is the risk assessment and treatment plan common to both standards or only specific to 27001? How does the certification audit work in this case? What does it take to undertake both projects at the same time ( in terms of additional time and resources)? Do you recommend to work on both 9001 and 27001 certification at the same time?

Risk assessment: multiple vulnerabilities for the same threat

On your tutorial vimeo page in the "06 How to implement risk treatment" video, you showed an example (see screenshot attached) in which you listed 2 separate lines for: the same asset, with the same threat, but with 2 different vulnerabilities.

Would it not make more sense to list this under 1 line?
That way there is 1 asset, 1 threat, 2 vulnerabilities and 2 controls.

I ask this because for some of our threats, we have 5-6 vulnerabilities and 5-6 controls to mitigate them. should we split this to different lines or is it okay to have multiple vulnerabilities, with multiple controls, and multiple assets - within 1 line?

Conformio roles

My name is the only available user for the steps in Conformio. What other users/roles would you recommend that I add? (Or does that actually come later in the process? The guide says I should not skip any steps, but at the same time I feel I need some new roles and users in the system)

Help with certification

Hi, we wanted to discuss how to best place our shared server IT Department to support the business units who currently hold or want to obtain ISO 27001:2022 certification.