ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Implementing ISO 27001

    Hello Dejan,

    as you might know, we are already ISO 17100 and ISO 9001 certified. And we will have the audit for these two ISOs on the 9th and 10th of November.
    Now I want to change the documentation we had for IT security to ISO 27001 documents we got from you so that we avoid duplications and unnecessary work. For the ISo 9001 & ISo 17100 we already had the description of our workstations, servers, password management and software (Bitwarden), antivurs/firewall policies and software (Bitdefender endpoint security), etc. But now I want our IT to put everything into documents that we can use for the ISo 27001.   
    1. Should we start with the risks and then explain our ations and measures to reduce the risk. For example, weak passwords -> strikt Password policy, bitwarden, etc.OR: Do we say what we have and what is it for?
    2. In your documentation we don't find any inventories of hardware and software. Isn't that necessary? 
    3. Do you normally recommend creating a flowchart for the server and backup systems, or do you explain everything in an Excel?
    4. Our team (12 people) is working in home office and we work with many freelancers. So we think we should limit the scope of our ISO 27001 to specific service and not to the whole company. What do you think?

  • Combining ISO 27001 with other standards

    Con qué otras ISOs se podría complementar?

  • Help with ISO 27001 implementation

    Dear Advisera Support Team

    I have just purchased your "ISO 27001/ISO 22301 Risk Assessment Toolkit English" because I really find your concept practical according to the free downloadable materials on your website. Unfortunately after having looked through all the contents of the package, I am not fully satisfied with the purchase while expected more examples related to the asset-threat-vulnerability approach as written here in this site:

    Diagram of ISO 27001:2013 Risk Assessment and Treatment process (
    Could you please help me out? What I am looking for is more examples like this, something like a collection which ISO controls could address which threat and vulnerability types, a matching table would really help me. I would like to seek your support and advise here, especially when the assets would be infrastructure elements like a Domain Controller or a VPN gateway.

  • The best way to include “evidences” of policy implementation

    Thank you for this mail. I’m currently beginning redaction of the first documents and follow your online training. As I’m very satisfied of both ,  I’m also studying the opportunity to take a company account on advisera training for our employees awareness training.

    After hours of reading and watching the very complete content of your website (blog, videos…) I don’t have any questions requiring a meeting, except one you could surely answer by email : what Is the best way to include “evidences” of policy implementation (screenshot, configurations … showing that a rule or control is implemented) ?

    • put them in a folder listed in the record part of the document (one folder by audit date ?) and put link to invidual files in the document (difficult to handle as folder is not always attached to the document, especially when sent to employees who don’t need to have such evidences)
    • put them in aforementioned folder, but without any link ? but this way it could be difficult to see which file corresponds to which rules/ controls
    • other way ?

    Once again, thank you very much for the quality of your service

  • ISO 27001 certification

    I am an *** Branch of a Foreign entity doing business in ***, my foreign parent has taken iso certification. So by being the branch of this foreign entity do I have to apply for iso certification again in ***?

  • Meaning of Bomb attack and bomb threat

    what's the meaning of Bomb attack and bomb threat? they mean logical bomb such as (DDOS,...)

  • Question about documents

    I am having some difficulty with matching the list of documents/templates purchased to those mandatory documents shown in the book Becoming Resilient.  See below.  I can find the Business Continuity Objectives template or Competencies of Personnel and Results of BIA.  Did I get the whole set?  Thanks for your help. 

  • Roles and Responsibilities

    Is an obligation define roles and responsabilities for TI in a Company with different Areas or Department? and that roles must be included in the Organizational Chart?

  • ISO 27001 for medium-sized companies

    Isn't ISO27001 a bit oversized for medium-sized companies with a company size of approx. 270 employees? especially if you are not in system-critical industries?

  • Required reference documents for EU GDPR & ISO 27001 Integrated Documentation Toolkit

    So EU GDPR & ISO 27001 Integrated Documentation Toolkit does not include Annex A for ISO 27001. Do you have a product or book or set of items that we could buy that has the required documents so we could do the “Integrated Documentation Toolkit”? some sort of additional product addon?

Page 2 of 411 pages