ISO 27001 & 22301 - Expert Advice Community

Asset Inventory

In your doc framework, there are two places where asset inventory is being used:

1. In the Risk analysis – the main attributes of the pure asset here are name(and category) and the owner
2. In A.8.1 – the attributes here are again name/category and owner, plus the result of the (last ?) risk analysis? 

I am wondering, where the classifications infos for the assets are taken into account? In some other examples for the inventory I found in the web, the CIA classification values are also stored, as well as numerous additional infos like

• process and org unit the asset belongs to
• process owner
• some flags for personal or customer sensitive data
• CIA values
• asset custodian (seems to be similar to the owner)
• data retention period
• users, location, etc, etc

and in some examples, the records are different depending on the type of asset.

Since we are SW developers in our DNA ;-) we are planning to build a little DB tool for the inventory and RA.

The inventory structure you suggest with your framework, is it meant as the absolute minimum you require to survive an audit?

So having more attributes will eventually make the assessment survey taking longer, but should not be a problem, right?

Would appreciate some answers very much!

Asset Type in the Information Asset Inventory

In your book you state ".. processes are not part of the asset inventory ..".

And I cannot find processes in the predefined categories of the table in 05.1 of your doc framework.

What is the reason for this? Are processes handled somehow separately? Or is it because we just should take into account the assets the processes consist of?

ISMS Scope

We are using Google Cloud Services for all infrastructure and use other SaaS providers for e.g. identification services and financial status information on customers to the banks.
 
Right now I'm working with the ISMS scope document and struggles a bit with the boundary of the scope.
I assume Google IaaS should be outside scope as well as the SaaS services we use.
This is not as clear as the example used in your doc. (private laptops and phones).
 
Any guidance on best practices on ISMS Scope in our case would be greatly appreciated before taking the next step for us.

(we would include the full company in the scope since we are very small)

Applicability of A.10.1 Cryptographic Controls

Our organization uses Digital Certificates for Internet facing services, apart from that we do not use any cryptography. In this case, would A.10 be applicable to our organization?

A6 Internal Organisation

In the Clause A6, we need to maintain contacts with the Superior Authorities and the special Interest Groups.

Could you please explain this Point. If I understood right, we need to maintain contact with the Superior Authority of the State where we can report any Data Breach.

How can we prepare the documentation of it?

COBIT, ITIL and ISO27001 comparison

Hello ! is there any comparison between the COBIT, ITIL and ISO27001?

ISO 22301 Base policy

So there is no policy directed for ISO 22301 base policy. Just IT security policy.  The ISO 27001 base policy will not work for ISO 23301. All these docs are distributed from the ISO 27001 academy. Where are the 23301 policy base documents?  Am I missing a vote on ShareFile?  I can’t see them.

BCM Manager tasks

I am interested in the implementation of ISO 22301 in an organization. What is it that I need to do as a BCM Manager in order to make this journey? Including ISO 22301 courses that I may need to attend to obtain a better understanding.

Implementation timeframe

We are considering buying the “27001 toolkit bundle”.
What is a realistic timeframe to complete to be ready for audits?

Risk Assessment

How do I combine below as one single tool: Risk Assessment Table, Risk Treatment Table, and Risk Treatment Plan?