Save 20% on accredited ISO 27001 course exams.
Limited-time offer – ends July 18, 2024
Use promo code:

ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • How comprehensive and specific should we describe the implementation methods in SoA?

    Hi, I still struggle with the SoA. I know it's not mandatory to describe the implementation methods which is practical if I don't yet know what specific measures we want to implement. But in the next step (risk treatment plan), I have to provide information on human, financial and technological resources. This is only possible if we know fairly precisely how implementation is to take place.

    Isn't it better to describe the implementation in more detail? But what does that look like? For example, we have a project for log obfuscating that has been started but is not yet finished. It fits in with control 8.11 Data Masking. Do we then mention the project in Implementation at 8.11?
    What do we do with the controls that we don't yet know how to implement but think are important?  Only mention a policy that we will write, or a task that we need to re-work an existing policy?
    What do we do if we later realize that we need to implement technical measures?

  • Non-mandatory documents

    I'm preparing a checklist for ISO 22301 and I found the list of non-mandatory documents on your website. The list is a helpful resource, and I was hoping to gain some additional information about its source.   Specifically, I am curious if the list of non-mandatory documents is directly referenced within the ISO 22301 standard itself, or if it represents a compilation of best practices or recommendations from another source.

  • What do we do when our existing policies do not match Conformio's policies?

    Some of the policies that we have to create according to the Statement of Applicability already exist as pages in our company wiki. The Conformio policies and our policies will not be the same, I rather expect ours to contain more detailed rules. Because we are stil working at the SoA, I cannot check what exactly is written in the policies provided by Advisera.
    I know that there is the possibility to add custom paragraphs in the Conformio policies, but no custom headings can be added.
    What do we do if our guidelines and Conformio's do not match? 

  • Teleworking Policy and IT Security Policy

    Considering that the rules specified in the IT Security Plicy are the same as the ones n case of teleworking and that all our applicatins and SaaS is in the cloud, could we avoid to write a Telewroking Policy and state that the Teleworking is regulated by the IT Security Policy?


  • Risk treatment plan

    Is it necessary to implement a treatment plan for all identified risks, or is it only necessary to apply a treatment plan if a medium or high-risk is detected?

    I am asking this question because in my risk assessment, all the residual risks are low, and according to my policy, only medium and high risks should receive a risk treatment plan. I want to know if it's appropriate to leave low risks without a risk treatment plan or if I should create one despite all risks being low.

  • 3.4. Handling classified information

    In the Information Classification Policy,, to be more specific in 3.4. Handling classified information what exactly you want me to write down?

  • Custom Edit Documents

    I am just getting started with Conformio and I see a problem. The wizard shows a document with text stating a policy on something we do not do.  I see where I can add a paragraph, but how might I go about removing the text in the wizard that is not relvant to us?

    Specifically, it is the Procedure for Document and Record Control stating what we do with phyisical documents.  We are fully remote, and cloud-collaborative.  We do not have phyisical documents (or locations) in the ISMS scope.  And knowing our auditor, if he sees text about physical documents and how we handle them, he will want evidence.  

  • Recovery

    I just want to know if, in best practices, and according to ISO 22301, it is preferable, in case of need for recovery, to perform it fully automatically or require human intervention step by step.

    Is there a clause in the ISO 22301 documentation that specifies or describes this fact.

  • Procedure for document and record control

    is it best practice to have the CEO approving the control of documents? my worry is the CEO to become a bottle nick for the organization since he have to review any changes to the documents. please clairify.

  • Statement of Acceptance of Residual Risks

    I dont think this statement makes sense " Statement of Acceptance of Residual Risks – a document specifying unacceptable risks for which an effective treatment has not been found " and It should read like "a document specifiying acceptable risks....." 

Page 1 of 543 pages