ISO 27001 & 22301 - Expert Advice Community

Annex A Applicability

I would ask him about completing the Statement of Applicability as our starting point to understand the scale of work (being such a small business) with regards to Annex A and which of the 114 controls are going to be necessary.

ISO 27001 controls (SOA)

1. Would you mind please explaining to me how can we justify the inclusion/exclusion of controls in the SOA?

2. And how can we justify the exclusion of a part of SMSI from the scope?

ISO 22301/business continuity

I m currently setting up our QMS(ISO9001) toward ISO22301. Currently, I m focusing on Clause 8 due to BCMS requirement. I want to simplify this system as much as possible and yet we are still implementing risk management to our system. For risk assessment, we are using SWOT but if needed we will use the Risk matrix system. Using our risk management system, we can check if we need to go further if it hit on the high-risk scale.

1 - Question, am I going on the right path, and what are the pitfalls I may encounter. Some of our processes are relying on digitalize information system and if system fail we rely back to our manual system. We have not decided to go for ISO27001 yet.

2 - Question, am I right to say that we only select such key cases on doing our BCMS and use those cases for the certification of ISO22301.

3 - Final question, I saw the BIA template, it may be complicated for my staff to understand and use them effectively. Question is there any simpler template to use.

Equipment maintenance

How can I define Equipment and what equipment to include i.e. in A.11.2.4 Equipment maintenance. Also for Asset Inventory and ownership; How to define what assets are in and out?

Question about SOA

1 - Is the SOA related to the scope?

2 - How can we verify the inclusion and exclusion of controls?

Document control

1 - Company documents such as "Contracts" signed with various clients. Does this form part of "internal" documents or external.

2 - Would we have to follow a Change History table on them too?

ISMS implementation - digital banking sw engineering

As part of a case study I'm working on, I need to describe a plan of action and the expected impact on the SW engineering dept of a digital banking company. The new CISO decided to introduce an ISO27001 ISMS and aims for the certification in 3 years. I have been tasked with implementing this framework in the SW engineering dept.

Can you help me structure the main guidelines and controls I should look at? I can make assumptions of course, but I'm not really sure how to best tackle.

Exception process

Would you know if the exception process in an information classification policy can be a manual process?

GDPR and ISO Compliance

I have heard a lot about GDPR and how much it restricts the privacy of PII. in my case I have a proxy web server that has many back services behind it, one of those backend services uses something called BasicAuthentication to authenticate the user, in basic-authentication the user submit has username and password and these being base64 encoded on the request header, the point is my proxy logs the username from that header on the audit log, so if the user is admin then I'll log User: Admin on my log,

does this prohibit in GDPR or ISO 27k? noting that I'm logging this info for security reasons.

Early preparation for ISO 27001

Hello Dejan and team. We are a start-up based in ***. We are just about to start coding our software-as-a-service solution. While it is not a top priority initially, we expect that we will later seek ISO 27001 certification later. What are the key considerations we should bear in mind as we embark on the development process, such that we have the preparatory work in place to ease the ISO 27001 process later?