ISO 27001 & 22301 - Expert Advice Community

GDPR & ISO 27001

I attended your webinar on the integration between GDPR and ISO 27001 yesterday, thank you very much.

Is there anywhere you can see what ISO standards it is possible to be certified against? I have been looking but not been able to find it. You said yesterday that it is not possible to be certified against ISO 27701, which is why I am asking.

I am currently doing a thesis as my final paper in Danish Law School and I am writing on GDPR and ISO and how ISO can help demonstrate compliance to GDPR.

ISO 27001 project presentation

I have a question.  I was speaking with my CEO today to align what it is we can do to show from the top management to the entire company that our ISO 27001 project is important and will ultimately reach and affect everyone.  One idea we had is to create some kind of flyer, a poster, or a banner that we can use on various places probably online for the next couple of weeks, and then physically when we get back to our offices.

Is there something you might have off-the-shelf that can be leveraged to that extent?

Risk Treatment Table

Should I include assessed ISMS Opportunities and Risks in the Risk Treatment Table? I mean IS Management System itself related Opportunities and risks?

ISO 27001 examples of the acceptable evidence

 I am looking for a reference or book that gives examples of the acceptable evidence to provide during an audit for each of the ISO 27002 controls.
does "ISO 27001 ANNEX A CONTROLS IN PLAIN ENGLISH? provide this?

Toolkit content

1. Wondering a bit about organization of files; We have a list of policies we need to write first – one is "Information Security Awareness, Education & Training" - I find it in referenced as A.7.2.2

Yet when I go in the folder below where I expect to find it in, there is not an A.7.2.2. document …27001_EN\08_Annex_A_Security_Controls\A.7_Human_Resource_Security.

There IS a A.7.2_Statement of Acceptance.

2.

Also, the following are policies we need; however they seem to paint to no specific document.  Where would you recommend we add these?

Patch Management Policy – in A.8.2 – IT Security Policy?

Information Security in Project Management – where to discuss this or assign project manager responsibilities?

Separation of Development, testing & Operational Environments – listed as a.12.1.3 – but not sure where to create it as I can’t find any sample wording.

Copy of the ISO/IEC 27001 standard licensed document

I am trying to determine if all employees are required to have a copy of the ISO/IEC 27001 standard licensed document, or is it sufficient for Management to have the standard licensed document only. In our business, the standard is translated to policy.

Consulting

 We received this question:

Cordial saludo!
Requiero hacer un diagnóstico de Plan de Continuidad del Negocio - ISO 22301 y plan de gestión de seguridad de la información - ISO 27000 para una empresa del sector salud, me podrías recomendar bibliografia

(Cordial greeting!
I require a diagnosis of the Business Continuity Plan - ISO 22301 and the information security management plan - ISO 27000 for a company in the health sector, could you recommend a bibliography)

Objectives documentation requirements

 In an ISMS project, should there be a separate document for High Level Info Sec Objectives and another for Low level Objective? High level in Information Security Context, Requirements and Scope document and low level in ISMS Policy document ?

A.6.2 Mobile Device and Teleworking Policy

Our team has recently started to look into the documents from the package.
At this moment I am trying to start working on the “A.6.2 Mobile Device and Teleworking Policy”. In this document, there’s a point which says:

"protection of sensitive data must be implemented in accordance with the [Information Classification Policy]"

Can you please provide some guidance hear, what should we add in information Classification Policy or what kind of techniques can help us to Implement this Process?
Can you please help us with it document at the earliest possible.