ISO 27001 & 22301 - Expert Advice Community

Review ISMS document

I am reviewing the existing ISMS scope document, the last reviewed this document was October 2018. what I should review & analyze for this document. please let me know which area I have to review.

Implementation of iso 27001 controls

 Hola bt soy analista de riesgos hace 3 años y estuve realizando un análisis gap de la iso 27001 de los 114 controles, ahora tengo como resultado un porcentaje global que no me indica por donde debo comenzar a implementar controles indico que no es para certificación sino como proceso de gestión de riesgos, quisiera saber si hay controles mas importantes que otros, a lo mejor me comentará que de acuerdo a los que le apliquen a la empresa, pero le aplican todos, le comento que la revisión la hice a nivel detalle y tengo un porcentaje de cumplimiento por control yo iniciaría por los que quedaron mas bajos en porcentaje pero quiero saber si hay un orden de reelevancia a este caso o por buenas prácticas me pueda comentar algo. De antemano agradezco su ayuda.

(Hello, I am a risk analyst for 3 years and I was carrying out a gap analysis of iso 27001 of the 114 controls, now I have as a result a global percentage that does not indicate where I should start to implement controls, I indicate that it is not for certification but as risk management process, I would like to know if there are more important controls than others, maybe you will tell me that according to those that apply to the company, but they all apply to it, I told you that the review was done in detail and I have a percentage of compliance by control I would start with those who were lower in percentage but I want to know if there is an order of re-relevance to this case or for good practices can you tell me something. I appreciate your help in advance.)

SGSI measurements

Como establecer las mediciones del SGSI?

Annex A Applicability

I would ask him about completing the Statement of Applicability as our starting point to understand the scale of work (being such a small business) with regards to Annex A and which of the 114 controls are going to be necessary.

ISO 27001 controls (SOA)

1. Would you mind please explaining to me how can we justify the inclusion/exclusion of controls in the SOA?

2. And how can we justify the exclusion of a part of SMSI from the scope?

ISO 22301/business continuity

I m currently setting up our QMS(ISO9001) toward ISO22301. Currently, I m focusing on Clause 8 due to BCMS requirement. I want to simplify this system as much as possible and yet we are still implementing risk management to our system. For risk assessment, we are using SWOT but if needed we will use the Risk matrix system. Using our risk management system, we can check if we need to go further if it hit on the high-risk scale.

1 - Question, am I going on the right path, and what are the pitfalls I may encounter. Some of our processes are relying on digitalize information system and if system fail we rely back to our manual system. We have not decided to go for ISO27001 yet.

2 - Question, am I right to say that we only select such key cases on doing our BCMS and use those cases for the certification of ISO22301.

3 - Final question, I saw the BIA template, it may be complicated for my staff to understand and use them effectively. Question is there any simpler template to use.

Equipment maintenance

How can I define Equipment and what equipment to include i.e. in A.11.2.4 Equipment maintenance. Also for Asset Inventory and ownership; How to define what assets are in and out?

Question about SOA

1 - Is the SOA related to the scope?

2 - How can we verify the inclusion and exclusion of controls?

Document control

1 - Company documents such as "Contracts" signed with various clients. Does this form part of "internal" documents or external.

2 - Would we have to follow a Change History table on them too?

ISMS implementation - digital banking sw engineering

As part of a case study I'm working on, I need to describe a plan of action and the expected impact on the SW engineering dept of a digital banking company. The new CISO decided to introduce an ISO27001 ISMS and aims for the certification in 3 years. I have been tasked with implementing this framework in the SW engineering dept.

Can you help me structure the main guidelines and controls I should look at? I can make assumptions of course, but I'm not really sure how to best tackle.