ISO 27001 & 22301 - Expert Advice Community

Business continuity management questions

Hola, trabajo en consultoría en sistemas de gestión y quiero informarme información en este manual de continuidad del negocio, consultas: que tipo de incidentes pueden disirumpir el negocio? solo hace referencia a la seguridad de la información? o se debe identificar riesgos asociados al negocio especifio. Teniendo en cuenta que viivimos en Uruguay pais donde no hay terremotos ni volcanes, ni nieve solo puede haber una tormenta fuerte, el alcance de esto esta orientado aplanes de emergencia y evacuación y seguridad de la información?

Documenting policies

I would like your advice on whether or not you feel we need to have a separate document that outlines BYOD and Teleworking or it would be sufficient to put these policies in our Staff Handbook which is quite extensive.

ISMS documents

The website does give a preview but not of all documents.  The web site, however, advertises that all documents are provided:

Logically, the controls documents (or at least a listing of the appropriate information in the documents) are required for completion of the project for certification; otherwise, I am flying blind.  Yes, the consultant support is nice, but I cannot reference a consultant all the time.

Risk assessment and treatment

We had purchased Advisera’s ISO 27001/22301 documentation toolkit. With regard to the risk assessment and treatment score, our consultant wants to adopt a different matrix for preparing the risk register since he has not come across the scoring methodology you have suggested in the attached document.

Could you please confirm that the scoring method you have given us (for the likelihood, severity and risk scores) is an accepted method by certification bodies since we do not want to face problems with our certification body?

Change management

What guidance can be offered for implementing a change management procedure that takes into account a technology company who is continuously changing? We are implementing a CI/CD (continuous integration and continuous deployment) pipeline and unsure about the best way to handle change for both software and cloud infrastructure to meet ISO 27001 requirements. Any sample policies or guidance in this are would be very helpful.

Access control

Is it anywhere in the iso 27001 standard explicitly defined/written that HR department should define access rights based on the valid work positions in the company? if it is, please tell me in which clause of the standard
or if it is NOT, than who should define who should perform this task while implementation of iso 27001 in one company? management board? can this as a task be assigned to IT department in coordination with HR department?

Integrating ISO 27001 and ISO 9001

Now my organization has 9001 but want to implement 27001 how would the integration look like or do you need to have a separate quality manual

ISO 27018 versions

What's the difference between ISO 27018:2014 and ISO 27018:2019?

ISO 27001 new version

Hello, I'm a legal counsel of the IT-company. We are going to implement ISO 27001. I have found the checklist and toolkit for 27001:2013. But I know that there is the newer version - 27001:2018. My question is: if we prepare all the documents and standards according to the requirements of the 2013 version, shall we be able to pass the certification? Thanks.

ISO 27001 certification process

1. I am currently in the process of trying to get our company ISO 27001 certified. That being said, after going through your toolkit and getting all the document and policies in place, what would be our next step?
2. Who is it that certifies us that we are ISO 27001 certified and provides the certification?
3. I also see that you have a course for lead auditor, what is the benefit of this certification?