ISO 27001 & 22301 - Expert Advice Community

Risk assessments

I purchased your ISO 27001 document toolkit, along with various books.

With regard to the risk assessment, it’s my first time doing this exercise  – while the training & templates are useful, I am a little concerned I’m making it more complicated than it needs to be for a business of our size.

As with anything, there are levels of detail you can take it to, and I suspect I might be going too deep.

I was wondering if you had any real example risk assessments for a small/medium-sized *** company that you think are good and would be able to share with me (even if they are a little old)?

While the theory and examples are useful, I think seeing a real one would help me measure the depth required and if I’m on the right track.

ISO 27001 security-driven culture

1. How can we create an ISO 27001 security-driven culture in an organization?

2. What are the success factors to ensure ISO 27001 compliance?

Productivity and surpasses performance target

How ISO 27001 ensures the productivity and surpasses performance target.....

Risk Assessment

To start, during our last discussion you mentioned we could email you with any questions we have.  If your inbox isn’t the right place to direct these to, please let me know the alternative address.

I had two general questions:

(1) Our product as a service platform can be thought of containing multiple modules (this is primarily a marketing and sales spin).  Each module can be thought to perform a different feature (i.e. dashboard module, data dissemination module, data transformation module) but these are all driven by a single code base.  When doing the risk assessment, should these be thought of as separate assets?  Or should they be represented by a single asset (i.e. *** platform)?

(2) The scope of our ISO is the "handling of customer data (ingestion, storage, dissemination)”.  In the risk matrix, we’ve already called out assets (and done the threat/vulnerability breakout) including:
- employees
- contractors
- management
- office
- data centers
- network
- laptops
- mobile phones
- application software (codebase)
- licensed application

Is there value to auditors to specifically call out assets for each of ingestion/storage/dissemination?  Or should they be worked into the existing assets (i.e. ingestion would exist under datacentres). Ingestion / storage / dissemination are technically “processes” (not assets) so on one hand I’m hesitant to list them as assets, but on the other hand they are important portions of the scope and so calling them out might help the focus of the audit.   Can you share your thoughts on this?

Compliance with the access control policy

Hi, quick question now that you have the COVID-19 how do you stay in compliance with your access control policy? (meaning access cards, biometrics, etc)

Checklist of Mandatory Documentation Required by ISO/IEC 27001 (2013 Revision)

I was checking this White paper: Checklist of Mandatory Documentation Required by ISO/IEC 27001 (2013 Revision)

On page 2 it refers to Definition of security roles and responsibilities A.7.1.2, A.13.2.4

Is there a mistake to the reference?

Finding internal and external auditors

We’re still several weeks away from being ready for an internal audit, but I have questions about the internal and external audits that I wanted to ask now in case it takes us a while to make the necessary arrangements.

1. First, we’re thinking of hiring an auditor with who has experience doing ISO 27001 audits to do our internal audit because this seems like this will give us a better sense of how the external audit will go (thought let me know if this logic is flawed for any reason). Do you have any resources you could point me to on hiring an auditor for the internal audit? Or any tips on how best to find someone?

2. Second, do you have any resources you could point me to on finding a certification body? In particular I believe we’ll want to find one that has auditors in ***. We won’t have any operations in *** until after we get certified (we need to be certified before we're allowed to start work there). But once we start operating in *** there I assume we’ll need an auditor to visit our office there for follow-up audits in 2021 and beyond (again, please let me know if any of these assumptions are wrong).

ISO 27001 Risk Assessment

Can we perform risk assessment without writing threats and vulnerabilities? Only writing risks?

Implementation of ISO Standard in software

I hope that you can help me or possibly refer me to the right address to solve my problem.

We are working on developing software for documentation, management, and planning of LAN / WAN networks. Our clients are mostly ISPs, who use our software to document passive infrastructure. We received a request for a "history" module in which "certain" changes in the database will be saved and which is necessary for ISO certification, in order to determine the status before the change itself.

Unaware of the certification requirements, we are unable to find out what changes to facilities (buildings, cables, pipes, services, etc.) are important, and what information we need to validate and store.

I hope that I have managed to bring you closer to the topic of this problem.

Project Plan

I have drafted my Project Plan.  I have a couple of questions:

1. Although my tool kit is supposed to include ISO 27001, 27017 and 27018, the Project Plan template only refers to 27001 and Business Continuity.  Should it not include all 3?  My concern is that I am missing something in the project plan because the template does not talk about all 3.

2. I am also confused about Business Continuity.  Does that need to be in or not?  You have taken it out in the demo.

3. There is no section in the Project Plan for training.  Should this not be part of the Project Plan?

4. Should there not be a section on the test audit date as well?

5. It seems like the Project Plan is just about completing the documents and nothing else.