ISO 27001 & 22301 - Expert Advice Community

Control application

Regarding A.17.2.1, our business is to provide services to our customers via cloud resources. Would this annex apply to all our customer-facing services as well or can it apply only to our corporate environment and part of our corporate business continuity strategy?

Trying to determine if we can write our policy to only include corporate and not customer resources.

Physical penetration testing

How does the ISO 27001 view physical penetration testing?

Obtaining management support

How do I convince my top management about ISO 27001/ISO 22301?

Segregation of duties, cyber security and business size

1. I need just a document on segregation of duties with regards to Management of IT and IT Security?
2. Who is responsible for the drafting of the Cyber Security Management policy?
3. What defines a small to medium business the no. of people or geographical or both?

Documenting information

Since ISO 27001 asks for the Documented information and it is a mandatory Document, do we have to document it if it is already published on our Knowledge-based collaboration Platform in the Organization with the Access limited to the Developing Team.

For e.g., If for this Process  A 14 System Acquisition Development and Maintenance, the information is available on our Knowledge-based collaboration Platform with the Access limited to the specific people. This page has all the information regarding the Secure Development Environment and all other Points in A.14 Control, then do we still have to document it on the Template or can we, during the time of Stage 1 Audit, show the description directly from this Link to the Auditor.

I’m asking this just to avoid the double task of updating the Documentation. 

Legal requirements

I am in South Africa and was going through the list of laws and regulations for South Africa in your article Laws and regulations on information security and business continuity: https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/

When it comes to information security, my confusion is are the 3 listed applicable to everyone one irrespective of the nature of business?"

Obtaining management support for an ISMS

Hi, I hope you are well, I am trying to convince top management to invest ISO 27001. I am writing the scope of the ISMS. I have two statements:
1) Information Security Management System applicable to the provision of IT Services supporting information assets of the organization.
2) Information Security Management System applicable to the provision of IT Services of the organization.

Which one is the best option to go? if you can help me to build another you are most welcome.

Supplier Security

To make sure to have a good Supplier Security, is it recommended to get an ”Order Data Protection Agreement” signed by the suppliers as well as the Third Parties the company is working with?

If yes, do you have any Standard Template for this or we take any Template available on the Internet?

PFA one template and suggest if it looks fine to be used with Suppliers and third Parties.

Identification of justifications for SoA

In the Document 06_Statement of Applicability, in the Column below in “Justification for selection/non Selection in SOA” how can we identify that whether the selection of a control is based on Risk Assessment results, contractual or legal obligation?

How to Implement Information Classification in a Dept.

Hi

I want to implement data classification in a dept. I should know how to approach this practice? What are the things and documents that I should consider for this classification. I already have information classification procedure which has levels of the classification defined but that is not implemented on the ground

I want to start the implementation and want to cover both structured and unstructured data.

Please advise

Thanks