ISO 27001 & 22301 - Expert Advice Community

Cost of ISO 27001 certification and Internal auditor re-certification

I am trying to estimate the cost for ISO 27001 certification with my company and I am trying to figure out for Internal auditor certification is there a requirement that auditors get recertified periodically?

Maintaining ISMS Certifications from a merging company

Toolkit selection

Which of your Toolkits is the best option:
ISO 27001 DocumentationToolkit or ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit?
Can we guarantee that the 13 points mentioned below are covered in either of our Toolkits?

1. Encryption key management
2. Network segregation
3. Audit logging
4. Patch and vulnerability management program
5. Information security awareness, education, and training
6. Physical and environmental security
7. Operational procedures and responsibility
8. System acquisition, development, and maintenance – including secure coding practices
9. System access control
10. Personnel security
11. Backup
12. Encryption at Rest
13. Security Monitoring Practices

Control application

Regarding A.17.2.1, our business is to provide services to our customers via cloud resources. Would this annex apply to all our customer-facing services as well or can it apply only to our corporate environment and part of our corporate business continuity strategy?

Trying to determine if we can write our policy to only include corporate and not customer resources.

Physical penetration testing

How does the ISO 27001 view physical penetration testing?

Obtaining management support

How do I convince my top management about ISO 27001/ISO 22301?

Segregation of duties, cyber security and business size

1. I need just a document on segregation of duties with regards to Management of IT and IT Security?
2. Who is responsible for the drafting of the Cyber Security Management policy?
3. What defines a small to medium business the no. of people or geographical or both?

Documenting information

Since ISO 27001 asks for the Documented information and it is a mandatory Document, do we have to document it if it is already published on our Knowledge-based collaboration Platform in the Organization with the Access limited to the Developing Team.

For e.g., If for this Process  A 14 System Acquisition Development and Maintenance, the information is available on our Knowledge-based collaboration Platform with the Access limited to the specific people. This page has all the information regarding the Secure Development Environment and all other Points in A.14 Control, then do we still have to document it on the Template or can we, during the time of Stage 1 Audit, show the description directly from this Link to the Auditor.

I’m asking this just to avoid the double task of updating the Documentation. 

Legal requirements

I am in South Africa and was going through the list of laws and regulations for South Africa in your article Laws and regulations on information security and business continuity: https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/

When it comes to information security, my confusion is are the 3 listed applicable to everyone one irrespective of the nature of business?"

Obtaining management support for an ISMS

Hi, I hope you are well, I am trying to convince top management to invest ISO 27001. I am writing the scope of the ISMS. I have two statements:
1) Information Security Management System applicable to the provision of IT Services supporting information assets of the organization.
2) Information Security Management System applicable to the provision of IT Services of the organization.

Which one is the best option to go? if you can help me to build another you are most welcome.