ISO 27001 & 22301 - Expert Advice Community

Internal audit options

We have already purchased the templates.  I was trying to get information on internal audit options. Is that something your company does or do you have suggestions on who to work with?

ISMS framework

I'm implementing ISMS framework for my company.
All the critical applications for critical processes are hosted on the cloud.
Clause 17 of ISO27001 requires Information Security aspects of Business Continuity management.
We don't have BCP/ DR plans in place.
Now clause 17 only focuses on ensuring Info Security arrangements in case of BCP & DR. So my question is - do I've to prepare full BCP/ DR plans to comply with the clause 17 requirements? Or is there any alternative for it? Please guide.

Clause 4.1 internal and external issues

We have a question for you on 4.; what is the best way to address this requirement, should we add this verbiage to our 05 risk assessment and risk treatment methodology document (like below) or should we create a separate table and/or document where we list action, who is responsible, timeframe for the items noted below.  My original thought was to include these items in our risk assessment process but would be interested in your thoughts, thanks.

3.6 Organization and Context

The head of EOM Security and Compliance will be responsible for identifying any internal or external issues that could affect the intended outcome of the ISMS.  Internal issues such as resources, training, data storage, organizational roles, tools, EOM software, system processes need to be captured and added to the Risk Assessment Table.  External issues such as cloud providers, customers, the economy, technology, legislation, the environment, all need to be reviewed and added to the Risk Assessment Table if necessary.

ISO Log Retention

Just wanted to know whether there has been any log retention defined in ISO for storing system logs in terms of number of days/years. Like in PCI-DSS, there 's a requirement to store the logs for 1 year, can you please confirm if there's anything as such from ISO perspective.

6.1.3 (f) and acceptance by top management

Quick question: 6.1.3 (f) requires Risk owner to accept the risk treatment plan and residual risks. In your templates (risk treatment plan, Method for risk evaluation and treatment), the risk can be accepted by TOP management. Is this still conform with 6.1.3 (f) or do we have to get approval from all risk owners?

Free Calculator - Duration of ISO 27001/ISO 22301 Implementation

1. A quick question on your calculator..
Q. Number of physical locations.. We have 5 employees who all work remotely. We don't have a physical office. So is this 5 physical locations?

2. another question on the calculator. One of the question asks, will a project manager be assigned (or something along those lines), I ticked 'yes' as I am assigned as PM and I am a Prince2 practitioner. Does this assume a full time employee? I am part time, therefore I wonder if the calculation would be longer if it took that into account?

Application of ISO 22301 certification

I have a question. Can the ISO 22301 certification be applied to a product which aims at ensuring business continuity after a disruptive event?