Take the ISO 27001 course exam and get the
EU GDPR course exam for free

ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • ISO 27001 Management Review : Fulfillment of the security objectives

    Greetings all.

    I have a question about one the topic to be addressed during the ISO 27001 Management Review. The Fulfillment of the security objectives.I have some challenges to present this topic.

    To fulfill this requirement I was thinking of addressing the ISO 27001 6.2 requirements (6.2. f what will be done, 6.2.g, what resources will be required, 6.2.h who will be responsible, 6.2.i when it will be complete, 6.2.j how the results will be evaluated) through a table that would contain columns for these different topics:

    Recommendation (from the risks assessment)
    Risks (covered by the recommendation)
    Roadmap Project (which contain all the details of the resources, the deadline, the responsible)
    Related Security Objective
    Related KPI with target
    Progress Status of the project.


    Is it something that you think can help address this ?


    Thanks for your valuable recommendations.


  • Doubts about the package of documents to buy

    Hello, I would like your advice on what package of documents is useful for me to work on some rules and policies of ISO 27,000.

    I have to comply with these points:

    1. Secure management of electronic and paper information (secure means of printing, storage, transfer).

    2. Timely management of critical and security updates of the operating systems of any equipment and corporate applications that receive, process and/or protect CLIENT information.

    3. Correct administration of the antivirus systems that protect the equipment that receives, processes and/or protects the CLIENT's information.

    4. Appropriate controls to protect against unauthorized access to IMR's corporate networks (protection of wired and wireless networks, intrusion detection, etc.).

    5. Adequate controls over the privileges/profiles of all users, as well as administrative permissions exclusively to prevent the installation of unauthorized software, blocking of portable applications, games, unauthorized programs and any other code or executable files that could put at risk the information that is processed in the equipment with access to CLIENT information.

    6. Appropriate controls for good use of internet connectivity, taking care that CLIENT information cannot be exposed in services such as public email, instant messaging, social networks, discussion forums, file sharing sites, among others. .

    7. Appropriate procedures for the correct administration of Security Incidents (information theft, misuse of information, damage to equipment with CLIENT information, among others).

    8. Appropriate controls for access to equipment containing CUSTOMER information, procedures for managing users due to employee termination or role changes, etc.

    9. Correct controls to guarantee the integrity of the equipment when it is unattended (automatic locks with screen protection, physical locks to secure equipment, etc.).

    10. Correct and complete documentation to ensure that the personnel who access the CLIENT's information have complied with a formal hiring process, signature of confidentiality agreements, among others.

    11. Appropriate procedures to control confidentiality agreements with third parties, indicating the prohibition of contracting/sharing/accessing CLIENT information with unauthorized third parties, without having previously documented the CLIENT's authorization.

  • Query on ISMS Scope

    I had a small query on the outlined ISMS scope in the organisational units. 

    Can you check the attached image if it is correct for the organisational unit highlighted scope? 

    • I have added myself (IT security admin) and the Internal Audit Team. 
      • I will be leading the ISMS implementation while the Audit team will perform the internal audit of the ISMS implementation. 
    • With the location and network in scope and out of scope, 
      • Can we include all offices in scope as listed in the previous document as the outsourcing team will be working across Nepal offices?

    As we cannot segregate office locations specifically for the outsourcing division, we will assess and implement ISO controls accordingly for the outsourcing team.

  • Questions related to ISO 27001 Controls

    I am curious to know about the coverage of all controls during the external audit. To one of my question, you said that only the controls which are applicable can be considered.

    So, my next question is I am working for an IT Software company and Can I skip any or all the following controls:

    A 6.2 Mobile devices and teleworking
    A 7: Human resources security
    A 8: Asset Management
    A9 : Access control
    A 10 : Cryptography
    A 11. Physical and environment security
    Please advise. I would like to know:

    a. What are the criteria for selecting a control?

    b. What all are the mandatory controls (a must control) which the external auditor would like to see for certifying the company?

    My understanding is that all the controls are applicable to all the industries, companies etc.  Hence the question.

  • Different companies in scope ISO 27001

    1 - I have some questions regarding ISO 27001- ISMS scope and organizational units. We are implementing the documentation in two of our companies (same corporate group). The whole Company X is within the scope but only the compliance office in Company Y. We include them both in the scope. Is this correct or do we have two sets of documentation? We are using the same equipment and facility at the moment.

    2 - I also have a question regarding Risk assessment table. To be compliant with the ISO standard- should we change the risks in the risk assessment after the risk treatment? For example, if risk X has been reduced due to implementation of a policy, should we change the risk from e.g., 3 to 2 in the risk assessment? Or should we not change the risks after treatment at all?

  • Internal Audit Report Review

    I have your documents for the internal audit report and the checklist, on the internal report is it acceptable to state that everything was implemented correctly and there was no finding for improvement?

  • Certification process of sister company

    The majority of our finance, HR and other major departments are managed by our parent company, but our sister company wants to become ISO 27001 certified. How do we manage the certification process? Please note that we will require access to the HR and finance departments, for instance. Additionally, we are headquartered in site A and have a branch in site B, but we wish to obtain certification only for site A. How are we going to treat our employees in site B and under which category should we put this?

  • Business Continuity Plan Testing Exercise

    We are planning a BC Plan tabletop exercise for a scenario called Data Centre Power Outage. I understand the BC plan is a product of Risk Assessment and Business Impact Analysis. I just joined this new organisation and all have been given BC Plan. Not sure how risks were assessed and BIA was done.

    Question: Can we include Risk assessment and BIA in the test exercise and ask questions on that? or in other words should we do both analyses during this testing exercise?

    Secondly, What are the most relevant questions we should be asking?

    Many thanks 


  • 27001 Certification for Multiple Companies / Geographic locations

    I'm trying to write and implement an ISO 27001 compliant information security management system (ISMS) for the company I work for. Currently we have our HQ the UK (2 office locations plus a test site) and an additional office in Europe. Currently the goal is to have the ISMS applicable to the UK locations and the EU location is scoped out as a subsidary / third party providing services to the UK organisation. The EU office also manages the IT infrastructure of the UK office. I'm not sure the reason the EU is scoped separately but I believe it's to avoid complexity and expense. We share intellectual property and confidential information (just technical, generally no Personally Identificable Information) back and forth between the UK and EU offices and eventually plan to move to a shared cloud database managed by the UK but EU has access and contributes. How will ISMS work in this situation? Are subsidary and third parties considered the same under ISMS? Am I right in thinking that the UK and EU offices needs a contract in place defining the services provided (IT management, design work, etc), including the security requirements the EU office must follow to meet the 27001 standards of the UK office?
  • Auditor definition

    Example: John is Lead Implementor of ISMS, Jack is his colleague from the same team. John's boss (who is also Jack's boss) wants to get internal audit performed by Jack. Is it a conflict of interest for Jack? (Jack was not involved in implementation but he has same boss)

Page 2 of 510 pages