ISO 27001 & 22301 - Expert Advice Community

How to register to work in cyber security?

How to register to work in cyber security?

Attributes Table in 2022 version

I took part in your recent "Discover Best-in-class Practices for ISO 27001 Risk Assessment live virtual training". No mention was made of the new Attributes Table in the 2022 version - the text of the Standard would appear to indicate that their use is not compulsory? Can you please clarify and if not mandatory what is their purpose? Many thanks

Company Acquisition and Integration ISO27001

If Company X acqcuires a company Y, which is the process to follow to integrate the certification ISO27001, because both companies are certified, but the company Y will be under the Company X so the certification of company X can cover also to the company Y? in this case how should work the future audit process to include the company Y into the  ISMS scope, taking in account that company Y has their own governance, and their own departments as HR, IT, Financial etc.

Question related to Antivirus

1. In the section titled "Managing records kept on the basis of this document" of the SECURITY PROCEDURES FOR IT DEPARTMENT document, it is stated under Controls for record protection that "Once the record is created, the record cannot be changed." Given that the record cannot be changed, what will be the record name that we can provide? This information has not been included in the documents, so I believe they should be erased because they are not applicable. Please let me know if you have any ideas or suggestions that we might write down or if we need to prepare any additional documents for this since records cannot be modified once they have been produced.

2. "There are 12 team members total, so I believe we will initially go for 3 team members as of now. I hope that will be fine to achieve the ISO 27001 certification or will there be any blockers for that? Yesterday we discussed antivirus, and I told you that we don't have any antivirus in our company. So as per your suggestion, we will run a pilot run for 3 employees basically with the IT administrator handling all the server data so we will install it first. How would you advise in this situation?

Queries ISO 27001

Hola, hice una traducción a una documentació que encontre del Ingles al Español y hay cosas que no entiendo a que se refieren como por ejemplo:

La apreciación de riesgos de seguridad de la información no requiere...

que es lo que no requeriría en este caso, definir los criterios de aceptación de los riesgos, definir sanciones por imcumplimiento en la seguridad de la información, la identificación de los riesgos de seguridad o la identificación de los dueños del riesgo?

Query on ISO 27001:2022 SOA

I have a question where I need your help:

You can refer to this link:
https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

Now for the ISO 27001:2022 SOA

do we need to add a column on how each control is implemented or it is not mandatory?

and only the following columns are sufficient:

- definition of which controls (security measures) will be applied, covering the suggested controls from ISO 27001 Annex A
- justification for inclusion of controls that are applicable
- the implementation status of applicable controls (i.e., if they are implemented or not)
- justification for the exclusion of controls from Annex A that are not applicable

Improvement Log

Should one have an Improvement Log and what fields should we use?

ISO Standard for KYC

Hi, I need some information; what are the ISO 27001 standards to apply for the KYC process?

Gap analysis

Me han pasado una agenda de gap análisis sobre la implementación de la ISO 27001:2013.

La documentación que he adquirido me permite, entiendo, una vez completada, responder a este gap análisis.

¿Esto es correcto?