ISO 27001 & 22301 - Expert Advice Community

Secure development policy

A.14_Politica_de_desarrollo_seguro_27001_ES",  necesitamos saber para punto "3.3  Principios de  ingeniería segura", ¿si estos principios debe ir detallados en esta política?, y si ésto es así, ¿que principios se deben incluir? o proporcionar alguna documentación o ejemplo para complementar este punto.

Register of Requirements Blank

I should have clarified on the initial request but for the register of requirements, if we don’t have any legal, regulatory, or contractual security obligations do we also list internal security policy requirements, or is this section left blank? While we do have MSAs, we don’t have a specific security control agreement with clients currently.

Risk assessment and treatment

We want to be compliant with the Baseline Information Security for Dutch governments, abbreviated as the BIO. For more info https://bio-overheid.nl/   This baseline is a selected subset of ISO27002 controls. Controls selected based on information security risks for Dutch governments. We already created information security policies, procedures and implemented most of the organizational and technical controls.

My questions:

1. would it be acceptable for the ISO27001 certification to do a risk assessment and treatment with a GAP analyses of the technical and organizational controls described in our information security policies? A risk would come from not having implemented a technical or organizational control. The treatment would be: implement the technical or organizational control.

2. if so – do we have to implement all technical and organizational controls before we start the certification process? Or I it sufficient that we proof we are in control of the risks by following the ISO27001 ISMS norm?

Document Recovery Plan

I am using the Document Wizard to write the Disaster Recovery Plan. Section 11 requires me to specify the archives of the person in which the records of recovery steps implementation (in paper form) are store In my company, we keep all documents and records in electronic form in Sharepoint. The IT Dept documents their technical work procedures using One Note or MS Word. DRP test reports are prepared in MS Word and filed in pdf form

Re-certifying

My company is due to re-certify on ISO27001 at the end of the year. If we re-certify on the 2013 ISO 27001, would we have to keep this for the whole 3 years, or are we able to re-certify for the 2022 version next year?

Any help would be appreciated.

Antivirus and MacBook Pro

We are hoping to have antivirus software installed on every Macbook and iOS device to have the Jamf or Miradore platform because our company exclusively works with IOS applications. The problem is that we are unsure if that complies with ISO 27001, so I needed your help in this situation. 

Jamf is primarily focused on managing and securing Apple devices such as Macs, iPhones, and iPads. It provides a range of tools for device management, including inventory management, software distribution, patch management, and security controls. Jamf can help organizations implement some of the controls required for ISO 27001 compliance, such as ensuring that devices are properly configured and that security updates are applied in a timely manner. However, it does not provide comprehensive support for all aspects of ISO 27001 compliance. 

Miradore, on the other hand, is a more general endpoint management platform that can be used to manage a wide range of devices, including those running Windows, macOS, and Linux. It provides a range of tools for device management, including inventory management, software distribution, patch management, and security controls. Miradore can help organizations implement some of the controls required for ISO 27001 compliance, such as ensuring that devices are properly configured and that security updates are applied in a timely manner. However, like Jamf, it does not provide comprehensive support for all aspects of ISO 27001 compliance. 

In summary, while both Jamf and Miradore can be useful tools for managing and securing endpoints, they are not designed specifically for ISO 27001 compliance.

So could you please help us with this?

How to register to work in cyber security?

How to register to work in cyber security?

Attributes Table in 2022 version

I took part in your recent "Discover Best-in-class Practices for ISO 27001 Risk Assessment live virtual training". No mention was made of the new Attributes Table in the 2022 version - the text of the Standard would appear to indicate that their use is not compulsory? Can you please clarify and if not mandatory what is their purpose? Many thanks

Company Acquisition and Integration ISO27001

If Company X acqcuires a company Y, which is the process to follow to integrate the certification ISO27001, because both companies are certified, but the company Y will be under the Company X so the certification of company X can cover also to the company Y? in this case how should work the future audit process to include the company Y into the  ISMS scope, taking in account that company Y has their own governance, and their own departments as HR, IT, Financial etc.

Question related to Antivirus

1. In the section titled "Managing records kept on the basis of this document" of the SECURITY PROCEDURES FOR IT DEPARTMENT document, it is stated under Controls for record protection that "Once the record is created, the record cannot be changed." Given that the record cannot be changed, what will be the record name that we can provide? This information has not been included in the documents, so I believe they should be erased because they are not applicable. Please let me know if you have any ideas or suggestions that we might write down or if we need to prepare any additional documents for this since records cannot be modified once they have been produced.

2. "There are 12 team members total, so I believe we will initially go for 3 team members as of now. I hope that will be fine to achieve the ISO 27001 certification or will there be any blockers for that? Yesterday we discussed antivirus, and I told you that we don't have any antivirus in our company. So as per your suggestion, we will run a pilot run for 3 employees basically with the IT administrator handling all the server data so we will install it first. How would you advise in this situation?