ISO 27001 & 22301 - Expert Advice Community

Internal Audit and Statement of Applicability

1. Does the internal audit need to happen before Stage 1 certification audit? Or can we schedule an internal audit to happen following Stage 1 when we have implemented the feedback?

2. Currently working on the Statement of Applicability and I wanted to ask if all of the controls we say YES to implementing, do they need to be noted down in the Risk Treatment process? Or is it okay to have some additional controls in the Statement of Applicability in comparison to the Treatment?

Documented processes

I have a question - must a team have documented processes to comply with ISO 27001? In other words, if during an audit you come across a team that has not documented their processes, is that a non conformity?

Gap analysis question

They have sent me a gap analysis agenda on the implementation of ISO 27001:2013. The documentation I have acquired allows me, I understand, once completed, to respond to this gap analysis. This is correct?

Question for assignment

1 - For instance, in documents like SECURITY PROCEDURES FOR IT DEPARTMENT and IT SECURITY POLICY, record names, storage locations, etc. must be specified. So my concern is, how will it be if we are progressing with IT Security policy and have to write the same document name in the record name? According to my understanding, if we define a record name, there would be various documents pointing to that procedure. Let me know briefly what we can write, please.

2 - The situation you presented is very unusual, because a record related to a document in general refers to a specific action described in the document, and would not include the name of the type of the document. For example, for the “Backup Policy” you would have a record named “backup record” or “restoration record”

Another concern is that we don't use antivirus software, yet the IT Security Policy has a section about it. "What should we say in that section if our company doesn't use antivirus software?

3 -If you could clarify my confusion regarding the fact that the record name here in the secure development policy prepopulates the information for the record name and also shows the procedure for secure information system engineering and testing plan for security requirements and system acceptance, will we still need to create these documents on our own? How will the records be created?

This question is related to Section 4 in security development policy document

Change Management Document

I noticed that the ISO 27001 package contains the Change Management Policy document (A12.2), but not a document to provide guidance on, managing, tracking, and documenting the change-steps. 

Is there an industry standard “Change Management” document to manage, track, and document infrastructure or application changes?

Thank you for your assistance.

Statement of Applicability

For the Statement of Applicability, are we to justify ONLY what we would like to implement, or do we need to go through each control listed in Annex A and explain why we have (or haven't) decided to implement them?

Independent Contractor Contact

1: How do I as an individual convince companies to take up my services as an ISMS expert individual contractor

2: if I'm ISMS expert working on my own how do I convince companies to take me on as an Independent contractor

Risk Treatment - Selection Of Controls

When selecting "selection of controls" in the risk treatment, there is only the option to select one treatment for that risk. If we had multiple controls that we want to implement, how do we go about depicting that on the risk treatment?

Scope of work

Can we choose the Scop of ISMS for IT department only? If cant, how long it takes to get certified

Updating to ISO 27001:2022

We began implementing ISO 27001:2013 but we would like to transition to the 2022 version. We have not been certified yet. Would it be possible to make this change?