ISO 27001 & 22301 - Expert Advice Community

Did ISO 27002 have any update between v2013 and v2022?

Did ISO 27002 have any update between v2013 and v2022?

If so, what were the numbers/dates, please?

Queries on Risk register

Another question I have is regarding the server portion of the risk register, which is found, for instance, in IT and communication equipment. How should this part be defined from a general standpoint? We have added several assets that were relevant to our organization; for example, we have added AWS Infrastructure, Google Infrastructure, Office IT Infrastructure, and Microsoft Infrastructure. Would you kindly help us with this? Therefore, do we need to define this as an infrastructure as a whole or do we need to add different assets that are applicable to the organization? 

Another issue is that third-party off-the-shelf applications are available for software and databases in a Risk Register. Since we use third-party programs like Phabricator, Microsoft Office 365, container hosts, virtual machines, containers, Jenkins, and virtual machines (Windows), we must decide whether to define each one specifically or to categorize them in general terms with a single category as Infrastructure. Could you please explain to me how we should define? 

Could you kindly let me know if we need to define different categorized products with Assets and then specify with the vulnerabilities associated to that specific asset in the Risk register for internally developed software?

Documents monitoring KPIs regarding applicable controls

Our auditor is asking for document submission. I'm not sure what they are looking for. Does Conformio (or the template package we purchased) have anything to cover this request: "Performance metric documents (e.g., KPI reports) showing performance tracking over applicable controls and objectives within the environment (S1)(A2)

Ransomware recovery plan

We are looking for a template for a ransomware recovery plan for business continuity.

Kindly confirm if you have such templates or anything related.

Request for Guidance

Good morning Dejan,

I trust this mail finds you well.

I would really appreciate advice as to whom I may contact in order to become a Certified “Accreditation” Auditor.

I have Certified on both ISO 27001 and ISO 9001 as a Lead Auditor, and wish to move to the next Level where my ROLE Changes from Internal Auditor and I Implementer to the Role of Certification Auditor for Companies that had their ISMS Implemented by another Party.

These are the Standards for which I wish to become a Certification Auditor
- ISO 27001 Information Security Management System
- ISO 9001 Quality Management System
- ISO 45001 (14001) Occupation Health and System Management System
- ISO 14001 Environmental Management System
- ISO 22301 BCMS Business Continuity Management
- ISO 20000 Service Management System  

I have purchased these Standards in preparation for becoming a Certification Auditor
- ISO 17021-3 Competency requirements for Auditing and Certification of Quality Management Systems 
- ISO 19001 Guidelines for Auditing Management Systems

I look forward to your most valued response.

Sincere regards

Losing certification

Thanks for all your emails. I have a quick question to ask.

After getting your organization certified, what can make you lose the certification?

Do you any possible questionnaire for this.

Impact correlation between multiple risks

Hi Dejan,

I’ve a question regarding the correlation between multiple risks and the impact evaluation of these correlating risks.

Lets say I have these 2 risks:

·  Risk 1

o Asset: Office room

o Vulnerability: Lack of access controls to facilities, rooms or offices

o Threat: Unauthorized entry into facilities, rooms or offices

·  Risk 2

o Asset: Printer

o Vulnerability: Network devices inadequately physically protected

o Threat: Unauthorized access to equipment

Now during impact evaluation, I would assess the impact of each risk for itself as medium. But if both risks materialize at the same time I would assess each a high risk because this would mean an unknown person instead of an employee would access the printer. How would you represent the combination of both risks during risk assessment?

Support re. internal audit section of ISO 27001 2022

We're currently kicking off the process of becoming ISO accredited. Having looked through the documentation, the section that i'm having difficulty understanding is the internal auditing requirements.

- Who exactly needs to be audited
- Who can do the auditing? For example, could I conduct the audit despite being the project manager? Does it need to be someone that is independent from the process of implementation?
- Are we auditing our implementation in line with the checklist that's been provided with the toolkit (11.3 Internal Audit Checklist)?
- If we are using the Internal Audit Checklist to conduct our audit, there are 2 sections to this. Do we need to complete both sections?
- I understand the Measurement Report (12.1) is part of the internal audit process, but I'm a little confused as to what actually needs to be measured here and how it relates to the audit. Is this more a documentation of security objectives we want to achieve?

Apologies for all the questions, but I'm not an expert in this so wanting to get a good understanding before we kick off.

Support regarding ISO 27001:2022

I'm unclear on a few things on the overall ISO process (I have sent through a separate email on the auditing process, but having reviewed the rest of the process, I'm unsure).

Essentially, I get stuck once we get to the point in the project checklist where the procedure for corrective action needs to be written.

Is the idea at this point to roll out the ISMS we have developed, and then give the process some time to settle before then determining what the nonconformities are, and therefore able to perform the audit, perform corrective actions that have been determined as part of the audit and then complete the management review?

If so, how much do you suggest is given to operate the ISMS?

Queries related to old client

Just a quick question: We have some old customers, and at the time, we had not considered obtaining ISO 27001 certification. However, now that we have them, do we need to define the old customers in the risk and stakeholder options given that some policies and procedures aren't in place? So, could you provide us with some guidance on how to handle this situation?