ISO 27001 & 22301 - Expert Advice Community

Assignment of documents

Hello,
we use XYZ as our document management system. I have mapped the structure of the ISO 27001 Standard in XYZ. 
This means that I store all documents of the nom chapter 4.1 in XYZ. I now have the problem that I did not know where to file documents for Annex A. So the password policy concerns the sections A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.3. But how and where do I store them in XYZ? Does this belong in separate subchapters of chapters 8.1 or how do I do it best?

I would be pleased about quick feedback

BCM framework and policy

Currently, I am drafting BCM framework for my small organization which is on SAAS platform. We have multiple sites as well with in XYZ and XYZ as well.

May you please give me some inputs/ guidance, how to draft the framework and policy and what points to consider keeping in mind SAAS.

Level of information classification

Hello all, I wanted to know what would be the most appropriate level of information classification given to the sensitive and Non-sensitive PII.
Are they considered confidential or less? or just restricted?

Business continuity management questions

Hola, trabajo en consultoría en sistemas de gestión y quiero informarme información en este manual de continuidad del negocio, consultas: que tipo de incidentes pueden disirumpir el negocio? solo hace referencia a la seguridad de la información? o se debe identificar riesgos asociados al negocio especifio. Teniendo en cuenta que viivimos en Uruguay pais donde no hay terremotos ni volcanes, ni nieve solo puede haber una tormenta fuerte, el alcance de esto esta orientado aplanes de emergencia y evacuación y seguridad de la información?

Documenting policies

I would like your advice on whether or not you feel we need to have a separate document that outlines BYOD and Teleworking or it would be sufficient to put these policies in our Staff Handbook which is quite extensive.

ISMS documents

The website does give a preview but not of all documents.  The web site, however, advertises that all documents are provided:

Logically, the controls documents (or at least a listing of the appropriate information in the documents) are required for completion of the project for certification; otherwise, I am flying blind.  Yes, the consultant support is nice, but I cannot reference a consultant all the time.

Risk assessment and treatment

We had purchased Advisera’s ISO 27001/22301 documentation toolkit. With regard to the risk assessment and treatment score, our consultant wants to adopt a different matrix for preparing the risk register since he has not come across the scoring methodology you have suggested in the attached document.

Could you please confirm that the scoring method you have given us (for the likelihood, severity and risk scores) is an accepted method by certification bodies since we do not want to face problems with our certification body?

Change management

What guidance can be offered for implementing a change management procedure that takes into account a technology company who is continuously changing? We are implementing a CI/CD (continuous integration and continuous deployment) pipeline and unsure about the best way to handle change for both software and cloud infrastructure to meet ISO 27001 requirements. Any sample policies or guidance in this are would be very helpful.

Access control

Is it anywhere in the iso 27001 standard explicitly defined/written that HR department should define access rights based on the valid work positions in the company? if it is, please tell me in which clause of the standard
or if it is NOT, than who should define who should perform this task while implementation of iso 27001 in one company? management board? can this as a task be assigned to IT department in coordination with HR department?

Integrating ISO 27001 and ISO 9001

Now my organization has 9001 but want to implement 27001 how would the integration look like or do you need to have a separate quality manual