ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit AS9100 Product: EU GDPR Documentation Toolkit
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Scope definition

    Our company has about 50 employees and we develop and manufacture a product with both software and hardware components.

    Do we include in the scope document the back-office systems that are used for HR, Marketing, Sales, Finance (inc salaries), and CRM?

    I would assume that our customers will not be interested in that but are rather focused on ISO 27001 referring to product-related-systems like R&D, Software development, Manufacturing. And also us protecting their medical information that might be stored on the device.

  • Request for guidance

    I frequently come across an article that I find extremely helpful, and now I would greatly appreciate your guidance on the following matter. Our organization has already implemented ISO 27001:2013, a new version has been introduced. Currently, I have a Statement of Applicability (SOA) that is based on 114 controls from ISO 27002:2013. My question is whether I should create a new SOA consisting of 93 controls in accordance with ISO 27002:2022, and subsequently make the necessary updates on my current SOA . Your advice and support in this matter would be greatly appreciated.

  • ISO 27001:2013 VS ISO 27001:2022

    HI there, I have been qualified as a Lead Auditor on 2013 objectives, can 2013 objectives still active and organisation can be certified with that objectives?

  • No budget to implement control A.8.12 Data Leak Prevention

    Control A.8.12 DLP is relevant to us as Intellectual Property that's stored largely on Google Drive is one of our most important assets.

    However, we do not have the budget to enable Google's DLP rules.

    How do we explain this in our documentation in a way that we still pass the ISO 27001 audit?

  • Confidentiality Statement

    I'm unclear on who should be signing the confidentiality statement. Should this be our employees, or our external clients and suppliers?

  • ISO 27001:2013 to ISO 27001:2022 Conversion Tool

    The tool shows ISO27001:2013 A.18.2.3 splitting between ISO27001:2022 A5.36 A8.8 when you convert it but the tool shows it subsuming into A8.8 when you convert 2013:A.12.6.1 (doesn't mention the split). Can you clarify? Thank you

  • Who should write mandatory documents in organization?

    I hope you are well. I recently had a colleague ask me a question on who should write the mandatory documents in an organisation. Is it the training consultant or the employees(process owners)? Kindly point me in the right direction.

  • Retention for SIEM

    I am wondering what are the log retention times for SIEM requirements for ISO 27001 implementations in various countries.   Thank you for all you have done for us.

  • Data leakage prevention

    I was wondering that there is no template for 8.12 Data leakage prevention in the toolkit.

    Could you please provide any help on that topic in the context of a small company, not having to many options to introduce a fancy tool-set to cover this new 2022 aspect.

  • Question about gap analysis

    What documentation is needed for a gap analysis between 27001:2013 and 27001:2022? I'm also interested to know if there is a template available for this.
Page 12 of 544 pages