ISO 27001 & 22301 - Expert Advice Community

Filling template List of Legal, Regulatory, Contractual and Other Requirements

We acquired the ISO 22301 Documentation Toolkit some time ago and just started to implement the ISMS for our company. I was delegated the project manager role for this project and as this kind of project is completely new to me, I’m not sure whether I understand everything correctly. Right now we are at the stage of identifying the requirements and expectations of interested parties and I expect that people I’m about to interview will have trouble formulating their needs. I anticipate them going into much technical details about defining SLA, RTO, and RPO for their related Information Systems which, as I understand, must be done later. However, I’m not sure what can be mentioned as requirements and how to help interested parties formulate their requirements. Could you please share some experience, maybe in a form of real-life examples, for filling up the “List of Legal, Regulatory, Contractual and Other Requirements”, with the focus on internal Information Resource owners’ requirements?

Templates content

I’ve looked over the policy and found most of the topics I was looking for. However, I can’t see where the topics below would be covered—can you clarify?

Document retention
Individual user agreement (employee agreement/ responsibilities, often attached to hiring documents)
Reporting InfoSec Weaknesses and Events
Responding to InfoSec Reports
Rules for Use of E-mail

Applicability of training for suppliers' employees

Is it absolutely necessary to train selected employees of our suppliers (Chapter 3.4 Training and Awareness) if the risk out of the risk assessment table is very low? Is it in that case described before possible to delete control A.7.2.2 from the security policy for suppliers?

Management of supplier relationships

I have a question about A.15_Supplier_Relationships, the toolkit doesn't really provide an excel or something to mage your Supplier Relationships. What is your suggestion on this topic?

HR policy for personnel security

I need to produce an HR Policy that covers Personnel Security. This policy needs to cover:

- Identity proofing
- Qualification checks
- Previous employment checks
- Criminal records checks/police check
- Employee obligations
- Separation of activities
 
I have reviewed the entire document set that I have purchased and I cannot find a policy such as this one in the mix.

There is a section on Human Resource Security – but there is no policy – just the confidentiality statement and the statement acceptance.

Internal audit

I have a question related to BC/ISMS certification.
To accomplish clause 9.2 Internal Audit, is it acceptable to conduct internal audits at planned intervals with an External Audit compañy or it MUST be internal?

Penetration testing frequency

I was just curious if either ISO 27001 and/or NIST controls specify the frequency for which (network and/or application) penetration testing should be performed?

Inventory of assets and Risk assessment

1. I am having trouble finding out how these two documents are connected (are both needed?) 11.A.8.1_Inventory_of_Assets_Integrated 07.1_Appendix_1_Risk_Assessment_Table_Integrated In inventory of assets.

2. How do we know how to assess "Impact/Consequences"? What do we base that rating on?

3. And how do we transfer that rating to the Risk Assessment table

Controls for BYOD

The issue is that not all employees have been granted a company-sanctioned device for accessing our office’s network. Policy-wise we have restricted them to only using RDP and that they must have anti-virus software on the machine they’re using to access our network, however, I feel this is not enough. I do not have as much experience in this area as others may have, so I’d like to know how do other companies deal with such a thing? Can we force our employees using their own devices to install an MDM software provided by the company so that we have some control over what’s connecting to our network? Is that the best route or will backlash/pushback from the employees being forced to install something they may deem intrusive actually work against us in this process? What about employees accessing our email system (office 365) on their personal phones – should we extend MDM and controls to those devices as well? Can/should we define a list of acceptable phones/operating systems to be used in our BYOD policy?

Any insight you could provide here would be greatly appreciated. In a perfect world, I would issue each employee a company-owned laptop/phone to deal with this situation, however, we just do not have the budget to go that route.

Standards new versions