ISO 27001 & 22301 - Expert Advice Community

Register of Requirements

Underneath the register of requirements where I am asked if I am compliant with the Computer Misuse Act am I expected to have a policy or do I read and agree to the terms?

09.04 BYOD Policy and 09.01 IT Security Policy

Is there a reason to keep the 09.04 BYOD policy separate to the 09.01 IT Security Policy?

Or can we just include it there (in 09.01) like for example we do with 09.02 Clear Desk policy?

ISO 27001 doubt on applicability of controls

My doubt is related on controls to be implemented regarding software development, i.e, controls 8.25, 8.26, 8.27, 8.28 and 8.29.

I understand that if there is any type of internal software development the controls must be applied.

However, if a company has installed any software/platform that is open source, it means that its allowed or can be made changes. Even, and for instance, for solutions that IT systems administrators use to manage IT infrastructure.

In this case, any of the mentioned controls must be applied ? meaning that they cannot be excluded.

Completing RTP before certification audit

Does all of the RTP need to be completed before certification audit?

Can a single legal entity have multiple ISO 27001 certifications?

Hi Our parent company has ISO 27001. We have a new venture that is devolving from the parent and will become a separate legal entity. We want the new venture to be ISO 27001 certified, however it operates very differently from the parent company. My question is can a single legal entity have 2 ISO 27001 certifications i.e one for the parent excluding the new venture and a separate one for the new venture (which over time will become a separate legal entity)?

Team in charge of implementation and maintenance of the ISMS

We have a question regarding the team that needs to implement and maintain the ISMS as defined in section 4.4 of "05_Information_Security_Policy_27001_EN".

We also want this team members to be able to approve requests like for example in "09.01_IT_Security_Policy_27001_EN" for installing software, running java, to name just a few.

We don't want only one person to approve this, whether it is the IT manager or the CTO.

We are a 50-user *** company.

It does not make sense to me that the executive team be the one in charge of the above since our case it is a small team of mostly non-technical users.

We thought of creating a 3-person team (maybe call it "IT Team" or another name if you have a better idea) that includes the CTO, IT Manager and the Head of Engineering. This team already meet weekly to discuss these matters, so I thought of officially putting it in our ISMS documentation. 

Do you think that is a good idea?

Is it in-line with the standard?

If so, is it best described in "05_Information_Security_Policy_27001_EN"?

Certification

Dear Dejan,

I am following you and Advisera for a couple of months and I really like the content you provide.
I am now in the process of preparing my first customer for ISO 27k certification, but the legal side of things with the certification is not quite clear to me.

Would please be so kind, and give me your professional opinion on this? Would also Conformio help me with the process in this case?

Let me give you a brief overview of the situation and you will know what I mean right away:

There is company A (consists of 15 people), based in EU, which develops software, provides support, makes proprietary hardware for the software they make etc.
Then there is company B (consists of 2 people), based outside EU, which owns the copyrights to this software, tells company A what to do, what to develop, and also is written on every contract when they sell this software.
Customer wants this software to be ISO 27k certified. Company B has no other legal connection with Company A, they are not like parent/daughter companies.

My question is, which company is going to be certified? Do they need to be both certified, separately?

Mandatory documents

Why are you treating 2013 edition when 2022 becomes effective September?

ISO 22301 IT

I'm working in the IT department and I have my friend working in the cyber security department, and we are now in the preparation processes to obtain ISO 22301 CERTIFICATE before this objective my friend in cybersecurity prepare all documents as part of ISO 27001 Preparation but it covers only cybersecurity department, I need your advice is that okay or it should cover all IT activities due to he tells me the main reason to disruptive the services in IT is the cybersecurity?

please advise who is right we have prepared a BCM plan, Risk management, BIA, BC community, and response structural DR but it focuses on cybersecurity.

Risk Register & BYOD