ISO 27001 & 22301 - Expert Advice Community

Checklist ISO 22301:2019 content

Hi!
I was really happy when I found the "Checklist of ISO 22301:2019 mandatory documentation" since that contains what is mandatory and what is not.
However, when looking at chapter 2 in the list, it says that a post-exercise report is not mandatory.
When I look in the corresponding clause in the standard (8.5), it says:
"The organization shall conduct exercises and tests that:
...
e) produce formalized post-exercise reports that contain outcomes, recommendations and actions to implement improvements;"

To me, this implies that a post-exercise report IS mandatory...
Please elaborate your way of interpretation.

BCP

I need to know what are the components and structure required to document a BCP from ISO 22301: 2019 perspective I am not interested in certification at this stage I am more interested what does my organisation requires to assert what is required as a structure to document BCP though we already have a BCP plan in place etc but we need to know from ISO 22301: 2019 what it requires to document a BCP and accordingly I will revisit what we have in house already ok.

Statement of acceptance document

I have a question regarding the statement of acceptance document. It is stated that all employees need to sign this document, is this including the managing director and also non-IT employees? Also board members? Or do only IT employees of the organization sign the document

ISO 27001 re-certification

My registrar is telling me I have to have my recertification in December. My ISO cert will expire on Feb 13, 2021. We don't want an audit in the middle of the holidays due to limited availability (so much vacation). Why does it have to be two months prior if my cert is good through February?

A.12.5.1 Vs A.12.6.2

I would like to clarify on document required against Annexure A ControlsA-12.5.1 and A-12.6.2

We have a written document against A.12.6.2 which specifies

    Users cannot install any software
    Only IT can install software
    All software to be approved by IT
    Software installation by end-users requires exception with risk impact.

Is there a separate document required against A.12.5.1?

Head Office

We are looking to become ISO Certified, we have a head office and approx 50 sites across the XX, is it possible to have the Head Office in scope only it is quite a flat IT network and the head office houses finance HR and other departments for all the sites

Templates for controls from Annex A

Just 2 more questions please:

Regarding the 27001 security control ANNEX 7 ‘SYSTEM ACQUISITION, DEVELOPMENT & MAINTENANCE) ’ do you have one single document that addresses this particular control? If not, which selection of documents do I need to purchase to address these requirements?
Likewise, Is there one single document that covers Annex 7 – HUMAN RESOURCE SECURITY?

Risk assessment

1.  Regarding risks that come from outside of the scope, should we consider these risks in the Risk Assessment and apply controls to mitigate them, or we need to include the source of them in the scope, for example: there are some laptops that can access and (download or view) some sensitive data from what are in the scope, so should we need to include these laptops in the scope or just aplly some controls to mitigate risks come from them?

2.  What is the difference between the exsiting controls and planned controls? do we need to have both in the risk register?

3. Should we write already mitigated risks in the risk assessment phase, for example: a security feature in a system is enabled so no risk right now, but if someone disables this feature, then it may lead to a potential risk, so do we need to write down these risks in the risk assessment phase?

4. How we can design a criteria for the impact if our scope is in cloud?

Residual risk

Explain how to check that information on significant residual risk is provided to the appropriate people

ISO 27007 vs ISO 19011 for auditing