ISO 27001 & 22301 - Expert Advice Community

Template content

Questions about document management

1. As far as I understand the offer, the package includes unlimited questions via email, right?
2. I am looking for areas regarding data retention and requirements from ISO 27001 standards. Does ISO 27001 require a definition of "data retention"? I haven't found any control about it nor template in the toolkit.
3. Does ISO 27001 require to keep "Records of erasure"?
4. Does "Records of erasure" are applicable in case of offboarding or also as part of retention of data? Offboarding employee = Termination of Contract with Employee. That means that as part of the offboarding checklist the access is removed and his laptop is "erased" for reuse by another person. With my understanding, that provides enough evidence that device/laptop/asset has been erased and satisfy A.11.2. Is it the right understanding?

Career development of information security

I have over 12 years of experience in ITES in Infrastructure Services including recent 5 year's experience in the eDiscovery domain. I am currently working as an Assistant Manager and would like to move my career to Information Security domain and also seeking for next level position as well in my current org. I would like to know which certification would help me to grow ISO 27001 or CISM.

BCM policy gap analysis

I am intending to perform a BCM policy gap analysis - which of the documents would be best suited for this purpose. I have the GPG 2018 an ISO 22301 and have referenced the aforementioned.

Review of Control A13.1

ISO standards related to ISO 27001

I work in security and want to focus on iso 27001, what other iso's are related to 27001 and to what clause? I've seen a few mentioned now.

ISO 27001 and scrum

Hi, I wonder if you can share views or references regarding ISO 27001 compliance efforts for companies adopting Agile SCRUM for software development. I'd love to know as well from ISO 27001 auditor's view on that.

Infosec policies

I found a simplified security policy which encapsulates a lot of the policies provided in the tool kit but at a higher level. Would something like this be appropriate for our implementation of ISO 27k and would it be appropriate for an audit?

Risk management manual

Scope definition and certification costs

1. En la institución tenemos un sistema core de negocio, el cual interactua y se proyecta a cada vez enlazarse con otros sistemas, por lo que estoy analizando si es factible obtener la certificación ISO 27001:2013 solo para dicho sistema y toda la infraestructura, procesos, recursos y activos que rodean a este sistema de información de gestión. Es factible esto? no se requiere implementar para toda la organización.
2. Se puede usar el logo del certificado en la pagina de inicio del sistema de gestión (por un tema de presencia institucional).
3. Entiendo que Uds. venden el paquete documentario, pero quisiera saber el costo aproximado de la auditoria para obtener la certificación."

1.  In the institution, we have a core business system, which interacts and it is projected to link with other systems, so I am analyzing whether it is feasible to obtain the ISO 27001: 2013 certification only for said system and the entire infrastructure, processes, resources, and assets surrounding this management information system. Is this feasible? No implementation is required for the entire organization.
2. The certificate logo can be used on the homepage of the management system (for an institutional presence issue).
3. I understand that you sell the documentary package, but I would like to know the approximate cost of the audit to obtain the certification."