ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Define Locations if all staff are remote

    I am unsure how to define/explain a location if all staff are working from home in the Scope.

    Would you simply state locations as 'Various remote locations' or something different?

  • Scope definition

    Hi Dejan, thank you for the Webex on Defining the Scope yesterday.  It was very informative.

    I raised a question about defining the Scope if you are an MSP / the Cloud and Infrastructure is shared and you said you would ask your team and get back to me. To summarise, I’ve tried to explain the question a bit clearer below.

    We established customers are interested parties in the ISMS.  I understand that.  My question is; if you then share the underlying infrastructure for example; a physical server that is running a virtual machine that the MSP owns, and a virtual machine of the customer.  The MSP has a responsibility to the customer as defined in the contract to keep the virtual machine available that resides on that physical server.  Then as far as the MSP is concerned with regards to ISO 27001 the physical server will be within scope as it is MSP owned along with the virtual machine that resides on the physical host because it is MSP owned.

    This means the MSP has a physical host and a virtual machine that is in scope but the virtual machine that belongs to the customer is out of scope since it is only the MSP and not the customer that is looking for certification.  In addition the MSP can’t be responsible for certifying all its customers.  So how do you define the Scope in this situation?  The customer virtual machine and MSP virtual machine on the same physical host are separated logically.   

    I’ve also been looking at your Conformio product.  The problem we have is given the nature of our business MSP / ISP; I think we would need some additional support more so than just email.  Some one that understands our business and who we can speak to to ask questions.  A combination between Consultant and your product.  Do you offer anything like this?  Would there be an opportunity to work something out with Advisera to achieve this that meets our needs?

    Thank you

    P.S: I found your book Secure and Simple along with your website very helpful and well written.  So thank you for that.

  • Question on ISO 27001

    I do indeed have very specific question, I can not answer or I do not find the right articles in ISO 27001. 

    I have a pretty hard discussion with a supplier, who will not send us Service Tickets to our Service-E-Mail, but only to dedicated persons.

    His rationale is this: "ISO 27001, Annex A9.2.1 requires user ID's to be restricted to real people so that these accesses can be restricted and logged."

    It is just, that I do not have ANY clue what he is referencing. In my opinion, 27001 Annex A 9.2.1 states the following:

    9.2.1 Registration and deregistration of users


    A formal process for the registration and deregistration of users is implemented to enable the assignment of access rights.
    Can you help me and do you maybe know, what he is referencing at ?

  • CMMC guidance

    What I am looking for now is guidance regarding CMMC, and how registrars and auditors can become CMMC certified. Any direction that you can provide along these lines would be greatly appreciated.

  • Operational Security Objectives

    We are confused on this section, Decreasing or Increasing, what if we don't have any incidents for the year, we can't decrease it. We don't have ISO yet and haven't had issues with onboarding customers, would it help in increasing revenue?

  • Register of Legal, Contractual, and Other Requirements

    I needed more clarification on this section. What information needs to be listed in the register. For contractual, I am guessing this would be our customers since they have a contract with us, but would we have to list all our customers? there are too many and for privacy we cannot list any customers. If we can list just general Customer, should be okay. but not sure what other Parties need to be included.


    CISSP is "owned" by ISC2, PMP is "owned" by the PMI, etc., so those certificates are from one body, and the exams are centrally managed. The questions will always be the same, not every training provider creating their own exam. is that the same with ISO27000 auditor exams? Just trying to understand the concept :-)

  • Cyber security certificates that guarantee entry-level work

    What are cyber security certificates that guarantee entry-level work?

  • Question about training

    1 - I wanted to know for the Security Awareness Training, if we have our own training, can this be used and we just have to log when the training was completed? Who should participate in the training as all employees take this training.

    2 - It's from a site KnowBe4. I wanted to know for this part can our employees use this site or they have to use your site for ISO? Do we have to show who has had training?

  • Missing documents

    Hi I am a customer and purchased the ISO set, but 12.4.1, 2,3 and 4 are not in the document set"

    Can we look into this and send him the missing documents?

Page 2 of 461 pages