ISO 27001 & 22301 - Expert Advice Community

ISO 27001 re-certification

My registrar is telling me I have to have my recertification in December. My ISO cert will expire on Feb 13, 2021. We don't want an audit in the middle of the holidays due to limited availability (so much vacation). Why does it have to be two months prior if my cert is good through February?

A.12.5.1 Vs A.12.6.2

I would like to clarify on document required against Annexure A ControlsA-12.5.1 and A-12.6.2

We have a written document against A.12.6.2 which specifies

    Users cannot install any software
    Only IT can install software
    All software to be approved by IT
    Software installation by end-users requires exception with risk impact.

Is there a separate document required against A.12.5.1?

Head Office

We are looking to become ISO Certified, we have a head office and approx 50 sites across the XX, is it possible to have the Head Office in scope only it is quite a flat IT network and the head office houses finance HR and other departments for all the sites

Templates for controls from Annex A

Just 2 more questions please:

Regarding the 27001 security control ANNEX 7 ‘SYSTEM ACQUISITION, DEVELOPMENT & MAINTENANCE) ’ do you have one single document that addresses this particular control? If not, which selection of documents do I need to purchase to address these requirements?
Likewise, Is there one single document that covers Annex 7 – HUMAN RESOURCE SECURITY?

Risk assessment

1.  Regarding risks that come from outside of the scope, should we consider these risks in the Risk Assessment and apply controls to mitigate them, or we need to include the source of them in the scope, for example: there are some laptops that can access and (download or view) some sensitive data from what are in the scope, so should we need to include these laptops in the scope or just aplly some controls to mitigate risks come from them?

2.  What is the difference between the exsiting controls and planned controls? do we need to have both in the risk register?

3. Should we write already mitigated risks in the risk assessment phase, for example: a security feature in a system is enabled so no risk right now, but if someone disables this feature, then it may lead to a potential risk, so do we need to write down these risks in the risk assessment phase?

4. How we can design a criteria for the impact if our scope is in cloud?

Residual risk

Explain how to check that information on significant residual risk is provided to the appropriate people

ISO 27007 vs ISO 19011 for auditing

Consulting and conflict of interest

I have a question and don’t know where I can find the answer of that
I know a CB is not allowed for consulting

1 - When we talk about ISO27001, what is the consulting evidence?

2 - Is pen test or contract for implementation of SOC type of consulting?

3 - Is a CB allow to give these services to their client?

ISO 27001 implementation

Thank you very much for your time and detailed answers. I only have one more question before I make the purchase:

Comparing the two documents you provide (attached), I see some discrepancy consisting of few of the documents listed as mandatory in the Checklist are missing on the List of documents in the Toolkit:

- Definition of Security roles and responsibilities
- Acceptable use of assets
- Operating procedure for IT management
- Secure system engineering principles
- Business continuity procedure

Please explain?

Security service presentation

Hello, I am making a presentation for "STANDARD MANAGEMENT SYSTEM FOR THE SECURITY SERVICE" and I seem to not find what I need about 3 questions, can you help me?