ISO 27001 & 22301 - Expert Advice Community

ISO 27001 implementation

1. I’ve got a question on perspective. As we fill out some of this documentation, specifically as we were filling out the Statement of Applicability, we were going down the first column deciding if certain annex controls were applicable to us. We found that we were going back and forth on whether a control is applicable or not based on the perspective of looking at it from an *** perspective or from the customer’s perspective.
For example, A.7.2.2 “Information security awareness, education and training”. If I look at that from an *** perspective, we’re obviously going to have that policy in place at the corporate level, but do we need one at the level of Managed Services? And is this applicable to us because we wouldn’t have any sort of information security awareness training for customers of ours, nor should they expect that for the services we’re offering. So how are we made to look at this?

2. There’s a lot of business continuity stuff listed in the templates, but Business Continuity ISO certification is not a part of our certification process from our external auditing team. So do we still need to complete all of the business continuity references if we aren’t going to be getting the certification? To be sure we more than likely have that at our corporate level, but again, this is going to be focused on one service we are offering.

3.  As my colleague mentioned previously, we’ve got several lines of business at ***. Should we treat all those lines of business not directly associated with our Managed Services team as a supplier? For example, *** is our head of HR. Would he need to be listed as a “supplier” since he doesn’t work inside our *** group?

4. Risk Register – how detailed do we need to get? Is “laptops” good enough to put on one line or do we need to list out all the individual laptops we’ll be using in the process? Same for offices, etc. Is it okay to lump groups of things together or do we need to list them all individually?

ISO 22301 Business Impact Analysis Toolkit content

Hi, can you just confirm if the ISO 22301 Business Impact Analysis Toolkit has the most recent legislation for UK laws and compliance?

Information classification and Labeling

1 - As part of the ISO 27001 Certification Audit, when we classify the information in the Company, do we have to classify the info just related to ISMS(for example Advisera Toolkit Docs) or all projects related info’s?

2 - And does each and every Information Processing Asset (Laptop, Server, Printer) of the Organization needs to be labeled? If yes, can you suggest the way of labeling?

Clarification on Scope of Work

1. What should be important considerations while defining Out of Scope in Statement of applicability?

2. If I have some systems which are currently running on obsolete technology or not in support technology, what does that mean for my ISO 27001 Stage 2 assessment and what impact it can have on certification?

ISO 27001 Certification

We're a SaaS Company, requiring to get ISO27001 Certified. We've previously been certified with FedRAMP, SOC2, and our current documentation follow all NIST guidelines. How do we make the transition?

Risk treatment plan

How to set up a good RTP

Certification ISO 27001

How long must a sgsi (ISMS) be operating to pass the certification process

Measures and Metrics

We have been struggling to get our measures and metrics right. Is there any best practice or education around measures and metrics?

How to control data tape movement during COVID19

We are ISO certified organization and due to COVID 19, we are not able to comply controls i.e. backup tapes movement from one location to off-site location

How do we address this? Is there any advisory published by ISO / any template /format where we can mention this and take approval from management & it will be helpful during the audit as well.

Corrective actions

How an auditor can verify that agreed corrective actions have been effectively implemented?