ISO 27001 & 22301 - Expert Advice Community

Appendix 1 – List of Legal, Regulatory, Contractual and Other Requirements

Software SaaS company

I want to better understand as a software SaaS company how to leverage ISO 27001/ 9001- 90003 together with SDLC for agile development and build a support team with ITIL/ ISO 20000. Security and quality without stopping productivity.

Risk treatment plan

Es claro que sobre los activos de información que corresponden al alcance del SGSI se debe definir el Plan de Tratamiento de Riegos. Se debería siempre considerar el SGSI como un activo de información en sí mismo? Y, por lo tanto se deberían identificar los riesgos asociados a su gestión). Por ejemplo: El Riesgo de no definir bien el alcance, el riego de no haber inventariados todos los activos pertinentes al alcance, el riesgo de no definir bien el SOA, el riesgo de no haber definido de manera integral y coherente el Plan de Tratamiento de Riesgos (RTP), etc. Es usual este enfoque? o esto excede al SGSI en si mismo? De antemano gracias por tu respuesta.

(It is clear that the information assets that correspond to the scope of the ISMS must define the Risk Treatment Plan. Should the ISMS always be viewed as an information asset in itself? And, therefore, the risks associated with its management should be identified). For example: The risk of not defining the scope well, the risk of not having inventoried all the relevant assets within the scope, the risk of not defining the SOA well, the risk of not having comprehensively and coherently defined the Treatment Plan for Risks (RTP), etc. Is this approach usual? or does this exceed the ISMS itself? Thank you in advance for your answer.)

Are templates mapped with NIST and CIS 20 requirements

I have a question regarding the policies and standards that will be customised. Is the template are mapped with NIST and CIS 20 requirements?

Legal basis

Please advise regarding the below

As a data processor , what is the legal basis of processing the data noting that we need to process the data to provide our services to the data controller and that consent is not obtained from our side and we don’t sign a contract with the data subject however we sign it with the data controller.

Query regarding the career with ISO 27001 Certificate

kindly help me to guide, if the ISO 27001 is the right path for the career. As i have total experience of 6.5 years in a Telecom domain. currently i moved on Telecom security Engineer.

ISO 27001 Foundations Course comment

“List of all the controls from Annex A and any additional controls that might be identified in the risk treatment process”

“all the controls from Annex A ” means the 114 controls.

So this should be false and the quiz consider it true.

I know it’s meant this SELECTED controls from Annex A, but that is not what is written.

Managing records kept on the basis of documents

Hi Advisera,

a lot of records (e.g. Risk Treatment table, or SoA) that should be created and managed should be according to templates in pdf format. I understand that. But there is a version history in Office365, so that we can check whether they were some unauthorized changes. Is that enough, I mean storing the records in Excel or Word form, not pdf, but with a version history turned on?

Network controls

The ISO 27002 requires (in A.13.1.1) Control: „Networks should be managed and controlled to protect information in systems and applications“.

I am interested in particular for items f) and g).

What is meant by “systems on the network should be authenticated“ / „systems connection to the network should be restricted“ ?

What is meant by „systems“ ?

Can you please give me some example for better understanding ?

ISMS Manual contents