ISO 27001 & 22301 - Expert Advice Community

Segregation of duties, cyber security and business size

1. I need just a document on segregation of duties with regards to Management of IT and IT Security?
2. Who is responsible for the drafting of the Cyber Security Management policy?
3. What defines a small to medium business the no. of people or geographical or both?

Documenting information

Since ISO 27001 asks for the Documented information and it is a mandatory Document, do we have to document it if it is already published on our Knowledge-based collaboration Platform in the Organization with the Access limited to the Developing Team.

For e.g., If for this Process  A 14 System Acquisition Development and Maintenance, the information is available on our Knowledge-based collaboration Platform with the Access limited to the specific people. This page has all the information regarding the Secure Development Environment and all other Points in A.14 Control, then do we still have to document it on the Template or can we, during the time of Stage 1 Audit, show the description directly from this Link to the Auditor.

I’m asking this just to avoid the double task of updating the Documentation. 

Legal requirements

I am in South Africa and was going through the list of laws and regulations for South Africa in your article Laws and regulations on information security and business continuity: https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/

When it comes to information security, my confusion is are the 3 listed applicable to everyone one irrespective of the nature of business?"

Obtaining management support for an ISMS

Hi, I hope you are well, I am trying to convince top management to invest ISO 27001. I am writing the scope of the ISMS. I have two statements:
1) Information Security Management System applicable to the provision of IT Services supporting information assets of the organization.
2) Information Security Management System applicable to the provision of IT Services of the organization.

Which one is the best option to go? if you can help me to build another you are most welcome.

Supplier Security

To make sure to have a good Supplier Security, is it recommended to get an ”Order Data Protection Agreement” signed by the suppliers as well as the Third Parties the company is working with?

If yes, do you have any Standard Template for this or we take any Template available on the Internet?

PFA one template and suggest if it looks fine to be used with Suppliers and third Parties.

Identification of justifications for SoA

In the Document 06_Statement of Applicability, in the Column below in “Justification for selection/non Selection in SOA” how can we identify that whether the selection of a control is based on Risk Assessment results, contractual or legal obligation?

How to Implement Information Classification in a Dept.

Hi

I want to implement data classification in a dept. I should know how to approach this practice? What are the things and documents that I should consider for this classification. I already have information classification procedure which has levels of the classification defined but that is not implemented on the ground

I want to start the implementation and want to cover both structured and unstructured data.

Please advise

Thanks

How to establish new ISMS Objectives

1. How should I proceed in this case? New ISMS objectives will depend upon which factors? How can I make new objectives?
2. What will happen to my objectives which have been completed?
3. Do I need to keep a record for them for management review in the future?
4. Do I need to make any implementation plan for the new objectives and how they will be achieved?

Calculating audit days

Audit forms

I am reading audit self-study. And your Video is very helpful, but I found doubts about what should I think for audit to be written down in forms. How forms look like? Really I hope you can help me. What are the right tools I should use to?