ISO 27001 & 22301 - Expert Advice Community

Consulting and conflict of interest

I have a question and don’t know where I can find the answer of that
I know a CB is not allowed for consulting

1 - When we talk about ISO27001, what is the consulting evidence?

2 - Is pen test or contract for implementation of SOC type of consulting?

3 - Is a CB allow to give these services to their client?

ISO 27001 implementation

Thank you very much for your time and detailed answers. I only have one more question before I make the purchase:

Comparing the two documents you provide (attached), I see some discrepancy consisting of few of the documents listed as mandatory in the Checklist are missing on the List of documents in the Toolkit:

- Definition of Security roles and responsibilities
- Acceptable use of assets
- Operating procedure for IT management
- Secure system engineering principles
- Business continuity procedure

Please explain?

Security service presentation

Hello, I am making a presentation for "STANDARD MANAGEMENT SYSTEM FOR THE SECURITY SERVICE" and I seem to not find what I need about 3 questions, can you help me?

Agile methodology and ISO 27001 implementation

What book can you suggest to me for learning agile methodology and are there any forms to guide the project towards that methodology?

ISO 27001 and PCI DSS/ PA DSS

How much will iso 27001 cover scope of PCI DSS/ PA DSS?

Risk assessment table

From the tutorial:

1. is the risk rating based on taking into account existing controls or in the case of no controls at all, before controls are applied?
How does control No 4 affect the risk level of risk no 4?

Shouldn´t the sequence be:
- assess risk
- take into account existing controls
- update risk taking into account existing controls
- perform risk treatment for unacceptable risks and document in risk treatment table
-define a risk treatment plan

2. what about existing controls for No 1-3? None implemented yet?

3. What about controls for risks that can be accepted?

Risk management process

Is the following order of steps for the risk management process provided in the iso27001 foundation course correct?
Shouldn't the RTP be created before the SoA?

1. Define risk assessment methodology
2. Conduct risk assessment
3. Select risk treatment options
4. Create Statement of Applicability (SoA)
5. Create risk treatment plan (RTP)

ISO 27K Competences

 Please advice about CISO Competences required by ISO 27K, those that needed to be documented.

Risk Analysis

Estoy creando documentación para gestión de Riesgo, La documentación dice evaluación de riesgo, quiero saber cual es el GAP que me faltaría o estamos hablando de lo mismo. El requisito a cumplir es: Implementar un proceso formal de gestión de riesgos de información que incluya la identificación y clasificación de los activos de información, impacto de riesgo, probabilidad de riesgo y puntajes de riesgo con definiciones cuantitativas, tratamientos de riesgo, definición de planes de tratamiento, seguimientos formales, implementación de reuniones del comité directivo y re-visita cicle de acuerdo con ISO-27005 y ejecute la primera evaluación anual de riesgos.

Audit checklist points

I am looking for audit checklist points which can be done remotely while user is on work from home