ISO 27001 & 22301 - Expert Advice Community

ISMS implementation

1. Estamos iniciando un proyecto de implementación de una SGSI , se decidió trabajar con personal interno , nuestra consulta es si con el " Paquete Premium de documentos sobre ISO 27001 e ISO 22301", es suficiente para implementar una SGSI sin tener experiencia previa ?
2. Existen certificaciones para ser auditor de ISO 27001? Cual nos recomendarías ?

Raising a Non Conformity or Observation in Internal Audit

Hi 

I am managing ISMS and as per the standard and as a continual improvement I have to perform an internal audit for ISMS. An internal audit dept is performing an internal audit. I need clarification in understanding when an auditor can raise an NCR(Minor) and when he can raise an Observation? Suppose I say that since I am certified by an external auditor and I have passed a certification audit by complying with all the mandatory requirements of ISO 27001, you cannot raise an NCR for my ISMS but only can raise Observation.
So am I correct, or internal auditor can still raise an NCR for me?
Please advise
Thanks

Template content - Access control policy

Starting ISMS implementation

Integrating ISO 13485 and ISO 27001 & GDPR

Hello, I would like an advice from an expert regarding integration of ISO 13485 and ISO 27001 + GDPR. We have purchased two documentation toolkits from Advisera: 

• ISO 13485 & ISO 14971 Premium Documentation Toolkit
• EU GDPR & ISO 27001 Integrated Documentation Toolkit

We have already  completed implementation of ‘ISO 13485 & ISO 14971’ toolkit, and we got the ‘EU GDPR & ISO 27001’ toolkit only recently. The question I would like to ask is how would you recommend connecting the two management systems (ISO 13485 and ISO 27001)? Would you recommend setting up an Integrated Management System? Or perhaps would you recommend keeping both systems separately and just referencing the ISMS in the QMS?

Development of an ISMS

Hello, I am an IT Manager so I need to develop an ISMS (Information Security Management System) documents that will include but not limited to Risk Assessment Methodology, Risk Assessment, Statement of Application, Risk treatment plan, Implementation of control and remedial procedures, Training and awareness, Operate and monitor the ISMS.

Controls from Annex A

 Referente al paquete de documentación que adquirimos con ustedes, leí que se puede tener asesoramiento vía email, le comento que ya empezamos a trabajar con la documentación de ISO 27001, pero nos surgen muchas dudas respecto a la lista de controles del anexo A, respecto a eso tengo un par de preguntas:

    ¿Existe documentación por parte de Advisera especifica que englobe los controles del Anexo A?
    ¿Es necesario un documento especifico para cada uno de los 114 controles?

(Regarding the documentation package that we acquired with you, I read that you can have advice via email, I comment that we have already started working with the ISO 27001 documentation, but we have many doubts regarding the list of controls in Annex A, regarding I have a couple of questions:

1 - Is there a documentation by specific Advisera that encompasses the controls in Annex A?

2 - Is a specific document necessary for each of the 114 controls?)

Risk assessment internal and external criteria and factors

Cuales son los criterios y factores internos y externos que se aplican en la evaluación de riesgos?

Control implementation

 We have passed the stage 1 of ISO 27001, one of the minor finding we should have Secure system engineering principles, as we develop a software.

I checked in your documentation of ISO 27001, there is no Secure system Engineering policy and procedure. Could you provide some guidance what should be written?

Communication plan

I’m seeking information on a communication plan template in the Advisera’s ISO Toolkit 27001_22301. 

I read this article and now I’m trying to locate the template.

https://advisera.com/27001academy/blog/2014/10/27/how-to-create-a-communication-plan-according-to-iso-27001/