ISO 27001 & 22301 - Expert Advice Community

Trying to map additions

Thank you for the last answers (https://community.advisera.com/topic/risk-treatment-and-rtp/#comment=reply-21525).

I have two topics and questions about them. 

I have the new Advisera ISO 27001 2022 Toolkit. I am trying to map additions caused by the new version of the ISO 27001 2022 standard’s main part (clauses 4 to 10) from the Toolkit, e.g. 6.3 and 8.1 among others, but can not seem to find them.

Are the standard’s changes such in nature that they can be seemed already included to the old version of the document templates? or why I can not find them? 

Can ISO 27001 2013 certified company make all the changes required for the new ISO 27001 2022 version, and if compliant, certify against 2022 version in the middle of the 3 year validity period in one of the surveillance audits?

It probably is required to have internal audit done against 2022 version before certification?

Procedure for document and record control

We are actually working on the document ’PROCEDURE FOR DOCUMENT AND RECORD CONTROL’

For ***, I am guessing whether it can be Conformio Platform or not.

Each external document that is necessary for the planning and operation of the ISMS must be recorded in the *** or in the *** according to their form. The *** and the *** must contain the following information: sender, document name, and date of receipt.

The person who receives such external documents in paper or other physical forms (e.g., through regular mail or as courier parcels) must make a record in the ***. The person who receives external documents in electronic form (e.g., through email) must record them in the ***.

Question : I would like to know if we can use Conformio instead of CRM ( which makes no sense in the case)

Code of Conduct

Hi Team, can you please let me know how I can create our Code of Conduct please? thanks.

Annual Review Templates

Are there any templates for evidencing annual reviews of supplier security documents?

Starting the implemetnation

I have now opened the zip folder ISO 27001 & ISO 22301 and found two folders for ISO 27001:2019. Ask for explanation.

When I opened the first folder, I found documents that probably allow both standards to be processed in an integrated manner, is that correct?

I actually wanted to start one project after the other, and not both at the same time. I wanted to start with ISO 22301 separately, how is this possible please?

Risk Treatment and RTP

I have questions about risk management, I was wondering if you could help me with these.

Does ISO 27001 require a risk treatment plan as a one single plan or is it, applicable make risk treatment plans per risk and approvals per risk? And if it is applicable what elements per treated risks must be present (responsibility, timetable, etc.?) The question rises up, because of a risk software which allows make a risk assessment and treatment and plan treatment per risk bases, there is no means to collect all risks in a one single plan (in which has treatment descriptions).

Does ISO 27001 require documented comparison procedure of the controls (determined in 6.1.3 b) with those in Annex A? The question rises up, because before mentioned software has no means to make up control comparison in composed way e.g. a control table which to use for comparison (like Advisera Risk Treatment table template has).

ISO27001 Toolkit materials

We recently purchased the Advisera ISO27001 Toolkit. We are working through the documentation and have a query we would appreciate your advice on. We believe we need to document the following couple of controls and policies:

Human Resources Security Policy
Data Leakage prevention policy 

We noticed there are no templates for these in the Annex folder although they appear to be referenced in other provider template packs, are we missing files or can you point us in the right direction ?

Control A.18.1.2

Working on 18.1.2 (intellectual property rights), how can we prove compliance with this control? Do we simply need to have copies of the agreements we have with each piece of software used? And be prepared to prove that we are operating within the agreed terms?

Cybersecurity

Explain why business continuity and ISO standards are important in the context of cyber security. Using examples in your explanation

Mandatory and nonmandatory documents.

1. I hope everything is well with you
I HAVE Aquestion about ISO27001 Implementation Tool kit does the toolkit contoin or cover all the documents that I will need to comply with ISO27001 BECAUSE I notice for example when I Review the document internal audit checklist regarding control A6 YOU Need evidence for the are all information security responsibilities clearly defined through one or several documents? For example and if that compliant or not my question here I MUST CONDUCT Document for the A.6.1.1 AND A6.1.2 AND A6.1.3 AND A6.1.4 THIS IS MY QUESTION

2. Also Iam confused regarding the document I Downloaded from ISO27001 Academy named checklist of mandatory documentation required by ISO27001 BECAUSE the document contain the part explain the non mandatory documents
And this part contain for example document about BYOD I CONFUSED BECAUSE THE DOCUMANTION TOOLKIT CONTAIN THE BYOD DOCUMENT WHICH IS RIGHT THE DOCUMANTION TOOLKIT OR THE DOCUMENTS WHICH I Downloaded from the ISO 27001 Academy
Please explain to me