Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:

ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • ISO 27002 changes

    Following the changes to ISO 27002, would a company be able to proceed with an ISO 27001 audit this May based on the previous ISO27002 standard?
  • Undocumented Controls

    As part of *** ISO 27001 implementation, I thoroughly reviewed the ‘List_of_documents_ISO_27001_Documentation_Toolkit_EN’ file attached that was included within the toolkit and mapped out which Annex A controls were covered by the template documents in the toolkit. I’ve recorded this in the ‘Toolkit Annex A Controls’ file attached for reference. It would have been useful if I didn’t have to manually gather this information myself but that is not the point of this email. My biggest concern is that there appear to be 34 Annex A controls that are not covered by the toolkit, despite the toolkit being advertised as ‘All required ISO 27001 documents’ as shown below. Can you please advise on this matter as soon as you’re able so that I can proceed accordingly? With 34 Annex A controls not being covered, that seems like a lot, and I worry that when our business is audited for ISO 27001, we will fail due to so many missing controls. Any guidance or clarity you could provide on this will help my peace of mind greatly. I’m on a tight deadline to have 27001 and 9001 implemented and certified by the end of June this year, hence me purchasing the toolkits for both to cut down the number of hours required.
  • Continuous responsibilities

    I noticed in the My Work: Tasks Assigned to Me section, some of the tasks are listed as "Continuous Responsibilities". Such as: Coordinate the ISO 27001 implementation project and Report project status to the project sponsor. My teammates have other tasks that are listed. At what point should we mark them as "Done"? Is it when we acknowledge that we have these ongoing responsibilities, or do we wait until the end of the project to mark them as done?
  • Task Link Issue

    As the subject document must be reviewed from version control perspective, there is no link between reading the document per 1 above, then completing the Main Step for the document. This is a gap that I would appreciate your feedback on. The Task asked me to review the document. When I reviewed the document on the last page is stated I have tor review annually by x date. When I opened the wizard up I needed to review/ add bits so I have done so and sent for approval today. By doing so, with will then change the next review date + 12 x mths out. I just don’t think completing the Task is sufficient. Documents have to be reviewed generally each year. It’s also a good idea to distribute them again so users can refresh their knowledge. Doing this via the wizard is the way to go I feel.
  • Risks registered is not effectives

    We are SMB organization with 200 employees and 13 IT staff , the scope of implementation is only for IT department !! We are implementing ISO 27001, the main challenge with is to identify and register the risks on an effectives and realistic manner, We are working with the third party and they delivered 140 risks registered , we have couple of comments on the risks registered as the following 1- registered risks are not realistic and it's near to issue registered not risks 2- most of the risks registered are repeated with different way 3- 140 risks registered is very too much to manage it and maintain it third party is used risks based on asset group !! is it making sense, how we can resolve this issue ?
  • ISMS

    I have some additional queries. 1. Within the document of the scope of the ISMS in point 3.3 Networks and IT infrastructure, should the network segments, IT Infrastructure (routers, switches, etc.) be fully detailed or is it enough to place a graphic of our diagram network? 2. In the ISMS implementation project plan Doc, point 3.1 Project objective, can the date that is set as a limit be changed as the ISMS implementation progresses, or should that date not be changed once? what has been defined? 3. In the ISMS Implementation Project Plan Doc, point 3.4.2 Project Manager, can two or more people be designated as project manager, or can it only be one person? 4. In the ISMS implementation project plan Doc, point 4 Management of saved records, within the table is only the project plan document detailed or should all the documents that are of the ISMS be detailed (e.g. scope document , security policy, etc.)?
  • ISO 22301 - 4.2.2

    I have attended a number of your webinars and on many occasions, you have provided additional references for the implementing ISO 22301/27001.  We are in the process of implementing ISO 22301. In my experience, I have not implemented or worked on the full scope of an ISO 22301 implementation as we are doing now at ***.  The Project Manager here has requested: Activate your network to seek for someone working in a company that is ISO 22301 (preferably) or 27001 certified who'd accept to tell us how 4.2.2 was implemented 4.2.2 Legal and regulatory requirements The organization shall: a)   implement and maintain a process to identify, have access to, and assess the applicable legal and regulatory requirements related to the continuity of its products and services, activities and resources; b)   ensure that these applicable legal, regulatory and other requirements are taken into account in implementing and maintaining its BCMS; c)   document this information and keep it up to date. I have not worked for a company that has achieved certifications. In my experience this information was identified as we worked through BIAs, BCPs, DRPs, etc. We have already done some identification of legal and regulatory requirements in an initial discovery for developing the Context of the Organization. Obviously this is not a one-and-done effort, but we have not developed a process. Would you be able to share any insights/information on this?
  • 27001 question

    I work for a 27 employees software company with remote workers. I’m having a few difficulties defining the asset register and would appreciate your view. We are using the Asset type of “Internally developed software” to encompass all software products we build for sale. However, we have several software products. Some are sold to customers for on-premise installation and use, whilst others are SAAS products residing in the Azure cloud (within our control). Additionally, we could partition our software into further categories or even individual products where they have different risks/vulnerabilities. 1 - My question is, how granular should we get? 2 - Would an auditor need to assess individual product risks because one product uses more 3rd party service than another?
  • ISO 27001 and ISO 9001

    Can the RA for 27001 be incorporated into a companies ISO 9001:2015 register.
  • Help: Creating risk management plan under ISO27005

    Hi, I am after some help with creating a risk management plan, I have completed the work but have a few questions. The methodology I chose to apply was ISO27005, but I am unclear on whether the risk communication and risk monitoring review sections are mandatory? Actually which parts are mandatory? Another thing I am not clear on is how I am supposed to provide justification of the risk treatment options. Is this something which is necessary under ISO27005? Thanks
Page 10 of 495 pages