ISO 27001 & 22301 - Expert Advice Community

Mandatory controls for SoA

Hi. I've recently bought your template pack for ISO 27001. I was told i could just send you a message if a questions popped up. Right now I'm about to do the SoA but is there anywhere I can find the full list of all 114 controls? And can i somehow see/know which of them are mandatory to implement?

Differences between ISO 27001 and SOC 2

What are the main differences between ISO 27001 and the american certification SOC2?

Conducting implementation/audit using ISO 27001 and ISO 27701 simultaneously

How does one conduct an implementation / an audit using ISO 27001 and ISO 27701 simultaneously?

ISO templates - HR Policy

Can you please help me to find my HR Policy and Awareness? I couldn't locate it in the templates.

ISO 27001 Risk Assessment

When initially identifying risks in a Risk Assessment, is the assessment done based on existing and implemented controls or is it as if no controls are currently implemented? For example:  If the Threat is fire in an office building, would the Vulnerability be “no fire protection” even if the building already has fire extinguishers and a sprinkler system? Or, should fire not be listed in the Risk Assessment since it’s no longer identified as being a Threat?  Thank you.

Reconciling Incident SLA vs RTO

Risk Management Alignment Among ISO31000, ISO27001, ISO22301 & ISO9001

Thanks for your attention to my lengthy query.

Our organization has been practicing the below Risk Management:
1) Enterprise Risk Management -ERM (ISO31000) for the entire organisation
2) ISO22301 BCM Risk Assessment for entire organisation
3) ISO27001 Risk Assessment for the ICT Service Delivery department only)
4) ISO9001 Risk Management for a Call Centre

These Risk Management practices with different aspects have caused confusion in the organization;staff is asking why so many risk assessments? and also caused overhead in handling these practices.

I observe that the below:
1) Lot of overlapping risk assessment as some risks that are taken care at the ERM level are to be reassessed again at the other ISO aspects.

2) Different perspective of each Risk Assessment;e.g. ISO27001 at CIA with focus on critical assets, ISO22301 on Critical Business function or processes from continuity aspect, ISO9001 at the Service Quality aspect whereas ERM at the political, financial, competition, environmental, etc aspects

3) Scope of each Risk Assessment is varied from an enterprise-level to a specific core function level

We recognise this strength but also a weakness and plan to initialize a Risk Management alignment exercise.

Appreciate if you could share good advice in the alignment or normalisation of risk management approach with the below goals:
1. Improve the effectiveness of entire risk management with a holistic view
2) Improve the efficiency of entire risk management
3) Still maintaining the goal of each risk assessment / management

Hope to hear from you soon.

HIPAA vs. ISO 27001 - What are the differences?

I see what appears to be a merge between hashtag#SOC2 and hashtag#iso27001 audit controls and offered as the "SOC2 plus ISO" audit.  The challenge I see with most mappings for the audit is the omission of Clause 4-10.

Dejan Košutić do you see a "HIPAA plus ISO" being born and if so, how does Clause 4-10 apply?

How to fill out BYOD policy?

How to fill up the documents templates for BYOD policy and for training and awareness.

Policies presentation

I just released cyber security policies in my company, My question what kind of presentation i should give it to all employs to illustrate these policies and make them understand what is written.