Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

ISO 27001 & 22301 - Expert Advice Community

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • ISO documents management (Delegation)

    I have two different cases during the ISO implementation related to documents owner and rules & responsibilities.

    first: during implementation, the iso 22301 the CISO was assigned to be the BCM Manager with R&R under this title and he was the documents owner too. the project finished and after a while the CISO resigned, and we need to delegate someone on behalf of him.
    Q:---what are the needed changes should be done on these documents? document owner, add new title under rules and responsibilities.
    or the delegation letter from the top management for will cover this and no need to change the documents?
    ------
    Second: during implementation, the iso 27001 there was not an information security manager, the ISM is defined in Company structure with R&R under this title and they are going to hair one next year due to the small size company and he will be officially the A&R person for all documents and project.
    Q:---what are the needed changes should be done on these documents? ISMS Manager, add new title under rules and responsibilities.
    or the delegation letter from the top management for until hair the ISM will cover this and no need to change the documents?.

    Thank you very much and I'm looking forward to hear back from you soon

  • Mandatory documents or not

    We have bought your tool kit for implementation ISO27001:2013 and I’ve used the summary enclosed in this mail as guidelines to what we need to implement as we are on a very tight timeline.

    Yesterday I was in a meeting with a consultant that we have hired to prepare us for the upcoming certification process. He then asked why I had not produced documents according to the demands in the Annex to which I replied that they are not mandatory to the certification.

    He did not agree. My instructions to him has been that we need to apply the least amount of documentation to implement new routines and at the same time get certified. It is our absolute goal to fulfil and implement all requirements but we have to take it slow as I have another fulltime job at our company. I’ve taken on this job as it is often a requirement from my customers and we need to have the certification asap. It is however agreed that we also need the policies and instructions to live by but the further job of implementing och create new ways to get our job done will not be led by me but by a newly recruited CISO (has not yet started).

    I’m sorry for the long mail, but I need clarification to this question. We have now 4 weeks left to the pre revision and I must know if I have to make sure that all documentation is produced. I have implemented a lot, and initiated other changes, but the documents are not ready, neither is the implementation completed because I thought I had more time. I would therefore very much like to hear your opinion on the matter. 

    Examples (not a complete list) that are not mandatory according to your overview is;

    A.8.3 Information Classification Policy

    A.11.1 Clear Desk and Clear Screen Policy (Note: it may be implemented as part of IT Security Policy)

    A.13 Information Transfer Policy (Note: it may be implemented as part of Security Procedures for IT Department)

    A.17.2 Business Impact Analysis Methodology

  • Question about eBook

    Last week, I bought “ (eBook) Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own”.

    Is there a supplementary document to describe the impact that ISO 27001:2022, has on the ebook?

  • Register of external correspondence

    I'm finalizing the procedure for document control and a little bit confused about the section regard external correspondence. It suggests we need a register to document external correspondence, but what does this entail? We currently don't have a process for this.

    Is the expectation that any document we receive externally (via email or physically) needs to be documented? If not, what examples of documents would we need to take note of?

  • Annual Audit Program

    Hi Dejan! I'm been watching your videos on Advisera and planning to take the exam. I was wonder under the Annual Audit Programme you said that companies can define their audit criteria? I was wondering from an external audit perspective, wouldn’t the audit compulsorily look at The standard, internal policies and procedure, legislation requirements and Interested parties requirements?

    Is there room to say the audit criteria can be scoped to just the standard and not the internal policies etc?

  • Energy Management

    We are an energy utility company and are seeking to implement ISO 27001:2022 throughout our business units. We also came across ISO 27019:2020 and there some additional controls specifically for energy utility company. Do we need to add these controls in our SOA? If so, how will we insert it? Thank you!

Page 17 of 542 pages