ISO 27001 & 22301 - Expert Advice Community

Updating the Incident Management Procedure

I am going to update the INCIDENT MANAGEMENT PROCEDURE according to our own company. I have some questions.

It would be great if you could share some examples for different categories like security weakness or event and incidents. This way we can get a better understanding of each type.

Should we include our maintenance window to this document to exclude from our SLA? I mean we use this document as a reference for SLA.

Do you recommend any tool for handling incidents proper for small business?

Contingency planning 

I have just some questions regarding Contingency planning 
1-is contingency plan part of ISO22301 requirements?
2-who should develop contingency plan and scenarios 
4-is there any conflicts between having contingency plan is ready and ITDR project ?? I mean is it an obstacle for DR project if I do not have contingency pls
N is ready 
Finally, do u have a kit for crisis scenarios?  
Thx a million 

How to exclude information in the definition of scope?

We have purchased your „ISO 27001 Power Toolkit" and would need support. We, ***, offer our customers a SaaS solution. We are currently preparing for TISAX certification and are in the process of setting up the ISMS. TISAX is largely based on ISO 27001.

Here is my question about the scope to be determined:

Our headquarters are in the ***  with branches in various countries among others in ***. Only the branch based in *** should be certified and defined in the scope. The design and maintenance of the IaaS and SaaS is specified and executed by the *** headquarters, Therefore we want to treat this area (hosting) and thus its service lines as a supplier. The problem is that employees in our IT department in the *** branch take on maintenance and administrative tasks for the EMEA area of hosting. How can this be excluded in the definition of the scope?

Certificação ISO 27001

quais os requisitos para certificar uma empresa do setor gráfico?

ISO 27001 certification

what are the requirements to certify a company in the printing industry?

Is PII Information?

Dear Dejan,

I have a question for you if you can help me on this.

Is customer PII considered as Information in ISO27001:2013 Standard?

If yes then shouldn't monitoring of PII shared with vendors be mandatory and not dependent upon contractual agreement. Shouldn't this activity be not allowed to be excluded from contractual agreement?

This question confuses me on allowing exclusions in ISMS

IT Auditing

I am working with companies as a consultant and helping them prepare policies they require for ISO27001 and ISAE3402 (also SOC1 and SOC2). I have also managed the audit process for my own business.

My question is what can I do if I get certified that I can't do now? Secondly, do I have to get certified for all 4 - ISAE3402/ISO27001/SOC1/SOC2 or can I do one overarching certification that will apply to all? Also what are the global bodies that accredit ISO certifications and does that apply to Advisera?

Thanks for your help.

Documents necessary for audit

Quisiera hacer una consulta….  

¿qué documentos, de manera necesaria, se debe presentar a una Auditoría para Certificación ISO 27001, a parte de las políticas, procedimientos obligatorios de ISO 27001?

Por ejemplo: Mapa procesos, manual del SGSI, etc.)

(I would like to make an inquiry…. What documents, in a necessary way, must be presented to an Audit for ISO 27001 Certification, apart from the policies, mandatory procedures of ISO 27001? For example: Process map, ISMS manual, etc.)

Dealing with business processes experience

I need your feedback on dealing with business processes experience.

Do we limit ourselves to processes that have links with the information system or do we put other vital and commercial processes such as the purchase of raw material, storage… as a process excluded when defining the scope?

Policy statement

What is policy statement?