ISO 27001 & 22301 - Expert Advice Community

SoA and supplier-related risks

I have the following question:

Company A rents virtual as well as complete servers from a hosting provider. On these severs a development company develops customized software for company A. The scope of the ISMS of company A covers the whole organization and therefore also the data and applications on the servers. Company A has no own software development.

Question: Regarding 14.2.5, 14.2.6, 14.2.8, 14.2.9, can company A exclude these controls in the SoA and only apply 14.2.7, as the responsibility/risk is contractually transferred to the development company and company A does not have any own software development? The risk assessment has shown some risks with regard to the development process on the servers, but this has been treated by contractually transferring the liability to the solution provider and applying chapter 15 controls. Contractually the development company is responsible for maintaining the security of the servers. What would be the best approach here?

Scenario based risk assessment

Justifications in the SoA

SoA > Can "Mandatory according to iSO27001 or GDPR" be a valid justification or does it have to be a specific risk?

Development Risk Assessment and Treatment Methodology

Adquiri o modelo de metodologia de avaliaçaõ e tratamento de riscos, ao desenvolver o documento vocês citam algumas referências como:

• Nome do cargo
• Cargo

Quem seriam essas pessoas???

(I acquired the risk assessment and treatment methodology model when developing the document you cite some references as:

• Job Name
• Position

Who would these people be?)

CCPA and ISO 27001 Lead Auditor

I have 30 years of experience in software development, Project Management and at Executive levels mostly in the US. I also have some recent experience in designing and implementing data privacy policies in a higher education institution in the US. If I pass ISO 270001 Lead Auditor Certification exam, will that help me in getting started as a Provisional or Internal Auditor for CCPA requirements? I would like to set up a time with you to discuss.

ISO 27001 certification

We are from the UK and found your excellent courses then this 27001Academy which claims we can do 27001 ourselves. However, we need to get the UKAS Accredited ISO27001 Certification which is the IAF NAB for the UK. How does this fit in with your DIY claim?

Annual Program for Internal Audits

In which document is my question: Annual Program for Internal Audits

Question:
I have a question about the last column of the table („Protocol to execute the audit“).
The comment on the column refers to the „Report on the internal audit “. When we talk about „Protocol“ in this column do we talk about the „Report“? Means is the „Protocol“ the „Report“?

ISMS interfaces and dependencies

How can I show that the consideration of interfaces and dependencies is in place in a company? from the IMS manual or where?

ISO 22301 and Disaster Recovery Plan

Why does ISO 22301 Not talk about aligning with a DRP process? we live in a digital world and to recover requires a strong DRP and also a link to a Crisis management center either virtual or real? none of the standard means anything without an IT Disaster recovery program and DRP site to make it happen.

List of Legal Regulatory Contractual and Other Requirements

Hi - I am ploughing through the ISO 27001 toolkit I purchased a few months ago, but I haven't yet set up the complimentary live consultation. I plan to after I am a little more progressed. In the meantime, I am really struggling with the above. 
We are a small SaaS startup. Do you have a non-confidential example document of this schedule you can send to me to get me started sketching out some example requirements from the likes of Employees, Shareholders, Clients? Government Act compliance is pretty straight forward.