ISO 27001 & 22301 - Expert Advice Community

ISO 27001 Risk Assessment

Can we perform risk assessment without writing threats and vulnerabilities? Only writing risks?

Implementation of ISO Standard in software

I hope that you can help me or possibly refer me to the right address to solve my problem.

We are working on developing software for documentation, management, and planning of LAN / WAN networks. Our clients are mostly ISPs, who use our software to document passive infrastructure. We received a request for a "history" module in which "certain" changes in the database will be saved and which is necessary for ISO certification, in order to determine the status before the change itself.

Unaware of the certification requirements, we are unable to find out what changes to facilities (buildings, cables, pipes, services, etc.) are important, and what information we need to validate and store.

I hope that I have managed to bring you closer to the topic of this problem.

Project Plan

I have drafted my Project Plan.  I have a couple of questions:

1. Although my tool kit is supposed to include ISO 27001, 27017 and 27018, the Project Plan template only refers to 27001 and Business Continuity.  Should it not include all 3?  My concern is that I am missing something in the project plan because the template does not talk about all 3.

2. I am also confused about Business Continuity.  Does that need to be in or not?  You have taken it out in the demo.

3. There is no section in the Project Plan for training.  Should this not be part of the Project Plan?

4. Should there not be a section on the test audit date as well?

5. It seems like the Project Plan is just about completing the documents and nothing else.

A.5 and A.8 elements

Our organization had purchased the ISO 27001 from Advisera last year, I am in need of your assistance pertaining to ISO 27001 packet and its documents within.

While implementing elements of ISO 27001/A.5 and A.8 elements, few of my results pointed to the following documents/forms, however, they are NOT available in the ISO 27001 packet we purchased.

How do I obtain the following list of documents so that I may complete my asset management and controls?
    A.7.2.1 - Management responsibility
    A.8.1.3 - Acceptable use of assets
    A.9.1.1 - Access control policy
    A.12.3.1 - Information backup
    A.13.1.3 - Segregation in networks

Chemical lab test

What are the measures which should be followed in a chemical lab for assuring the quality of the test?

User Account Responsibilities

I have a query in the “IT Security Policy” document.

3.6. User Account Responsibilities

The user must not, directly or indirectly, allow another person to use his/her access rights, i.e. username, and must not use another person’s username and/or password.  The use of group usernames is forbidden.

Query: As per the clause ‘A.9.3.1’ the individual users shall have and secret authentication information. We are manufacturing firm and use shared assets.

1. How do we comply to this clause?

2. Is it necessary to have written on this clause in the policy?

Adopting the ISO 27001 standard

I have a meeting next week the 27th with the *** where I have been selected to present a technical overview to adopt the standard officially in *** for our Banking Sector and Auditing Firms. If I may ask, what would you suggest a good platform to present to them a foundational background and why it is important to any organization to adopt the standard?

Business impact analysis

does the new ISO 22301:2019 makes obsolete ISO 22317:2015?
In the new version of ISO 22301 Risk assessment is connected with BIA.

ISO Standards for HR Policies

I am considering adopting ISO standards for HR Policies. Can you tell me why I should adopt ISO standards for my HR Policies?

Maintenance of ISO 27001

1. I want the process of maintenance after organization certified with ISO 27001.

2. How to maintain the document policies procedures etc related the ISMS