ISO 27001 & 22301 - Expert Advice Community

Request for Guidance

Good morning Dejan,

I trust this mail finds you well.

I would really appreciate advice as to whom I may contact in order to become a Certified “Accreditation” Auditor.

I have Certified on both ISO 27001 and ISO 9001 as a Lead Auditor, and wish to move to the next Level where my ROLE Changes from Internal Auditor and I Implementer to the Role of Certification Auditor for Companies that had their ISMS Implemented by another Party.

These are the Standards for which I wish to become a Certification Auditor
- ISO 27001 Information Security Management System
- ISO 9001 Quality Management System
- ISO 45001 (14001) Occupation Health and System Management System
- ISO 14001 Environmental Management System
- ISO 22301 BCMS Business Continuity Management
- ISO 20000 Service Management System  

I have purchased these Standards in preparation for becoming a Certification Auditor
- ISO 17021-3 Competency requirements for Auditing and Certification of Quality Management Systems 
- ISO 19001 Guidelines for Auditing Management Systems

I look forward to your most valued response.

Sincere regards

Losing certification

Thanks for all your emails. I have a quick question to ask.

After getting your organization certified, what can make you lose the certification?

Do you any possible questionnaire for this.

Impact correlation between multiple risks

Hi Dejan,

I’ve a question regarding the correlation between multiple risks and the impact evaluation of these correlating risks.

Lets say I have these 2 risks:

·  Risk 1

o Asset: Office room

o Vulnerability: Lack of access controls to facilities, rooms or offices

o Threat: Unauthorized entry into facilities, rooms or offices

·  Risk 2

o Asset: Printer

o Vulnerability: Network devices inadequately physically protected

o Threat: Unauthorized access to equipment

Now during impact evaluation, I would assess the impact of each risk for itself as medium. But if both risks materialize at the same time I would assess each a high risk because this would mean an unknown person instead of an employee would access the printer. How would you represent the combination of both risks during risk assessment?

Support re. internal audit section of ISO 27001 2022

We're currently kicking off the process of becoming ISO accredited. Having looked through the documentation, the section that i'm having difficulty understanding is the internal auditing requirements.

- Who exactly needs to be audited
- Who can do the auditing? For example, could I conduct the audit despite being the project manager? Does it need to be someone that is independent from the process of implementation?
- Are we auditing our implementation in line with the checklist that's been provided with the toolkit (11.3 Internal Audit Checklist)?
- If we are using the Internal Audit Checklist to conduct our audit, there are 2 sections to this. Do we need to complete both sections?
- I understand the Measurement Report (12.1) is part of the internal audit process, but I'm a little confused as to what actually needs to be measured here and how it relates to the audit. Is this more a documentation of security objectives we want to achieve?

Apologies for all the questions, but I'm not an expert in this so wanting to get a good understanding before we kick off.

Support regarding ISO 27001:2022

I'm unclear on a few things on the overall ISO process (I have sent through a separate email on the auditing process, but having reviewed the rest of the process, I'm unsure).

Essentially, I get stuck once we get to the point in the project checklist where the procedure for corrective action needs to be written.

Is the idea at this point to roll out the ISMS we have developed, and then give the process some time to settle before then determining what the nonconformities are, and therefore able to perform the audit, perform corrective actions that have been determined as part of the audit and then complete the management review?

If so, how much do you suggest is given to operate the ISMS?

Queries related to old client

Just a quick question: We have some old customers, and at the time, we had not considered obtaining ISO 27001 certification. However, now that we have them, do we need to define the old customers in the risk and stakeholder options given that some policies and procedures aren't in place? So, could you provide us with some guidance on how to handle this situation?

Transition Online Course content

Note that I have questions about some of the content. For example, the text of documents provided and the corresponding quizzes state that the purpose of the update to ISO/IEC 27001 was to bring it into alignment with ISO/IEC 9001. However, ISO states “The main changes are as follows:

—     the text has been aligned with the harmonized structure for management system standards and ISO/IEC 27002:2022...” Also if I remember it correctly, the verbal content said this as well. My opinion is that the goal of the updated ISO/IEC 27001 was to align with ISO/IEC 27002 and the Annex SL structure. Just my opinion.

Supplier questionnaire

Hi, I need help to produce the following for suppliers that we work with, I need to confirm the correct questions to send out, risk scoring and a policy. Below are questions for supplier regarding their security posture.

• Confirm which of the following do you have in place: Firewall? IDS or IPS? Secure configuration? Anti-virus/Malware Protection? EDR/MDR/XDR? Patch Managements? Access Control? Multi-Factor Authentication? Email spam filtering? Network behaviour Monitoring?
• Do you know what devices connect to your network and who has access?
• Do you follow any security frameworks?
• Do you have cyber essentials?
• Do you do conduct vulnerability and penetration testing?
• Do you have backups? • Do you have security and acceptable use policy?
• Do you have information and security policies in place?
• Do you have access control policies in place? • Do you conduct cyber security awareness training?
• Do you have a disaster recovery plan? • Do you have an incident response plan?
• Do you have anything in place with your supply chain to combat a cyber-attack?

• Conformio documentation

  Clause 7.4 – Communication ( how to evidence the communications plan).  Where do I find this information on the system?
  Clause 8.1 - Operational planning and control (To see the ISMS Calendar/Planner). Where do I find this information on the system?
  Clause 9.1 - Monitoring, measurement, analysis and evaluation (To see the measurement & Metrics and measurement results).  Where do I find this information on the system?
  Clause 10.2 - Continual improvement (To see ISMS continual improvement log).   Where do I find this information on the system?
  A.18.2.2 – Report of information security compliance monitoring from various Managers/Heads of Heads or plan of action. How do I capture or evidence this in the system?

  and Finally, How to use Conformio to test the effectiveness of the ISMS in the organization?

• CRM Document Management

  As it is a small company it would be beneficial to complete most document management within the CRM to enable embedding security in all aspects of service delivery.  What is the likely view of auditors of such an approach? This would of course be reflected in the Records Management document.