ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Statement of Applicability

    Grateful if you can please confirm on the following.

    We are in the phase of a certification audit. the auditor is currently reviewing the Statement of Applicability (SoA).

    For clause 18.1.5, Regulations on cryptographic controls: There is no such law currently in XXXXX. So, is this clause applicable to our company for the time being or shall it be record as exclusion in the SoA?

  • ISO Certified Auditor

    I have a dilemma that you can help me with. I have the option to listen to IRCA Certified ISO 22301: 2012 lead auditor training at Bureau Veritas (they don't have an option for 2019), so I'm interested in how the transition to 2019 would possibly go after that?

  • Conformio number of documents

    I wanted to know why does it seem that the Conformio site has less documents than the template documents? it seems like it's missing a lot of information. Does it cover all of the Annex parts and has all the templates?

  • Scope question

    We have one question about the ISMS scope:

    Our owner/parent company (XXXXX) is also our supplier for several IT services (e.g. network). They define rules and settings that automatically apply to us (in their role as owner). However in their role as supplier they would have to adhere to the standards we (subsidiary = YYYYY) set for them, correct? How should we formulate this in our ISMS Scope and how should we treat it in the SOA? And are there any recommendations regarding how such a relationship should be clearly formulated in an SLA?

  • Module 9 - reviewing documents off-site

    I am referring to ISO 27001 Internal Auditor Course.

    In module 9 (Document review at 2:20) it is said the following:

    "You can perform the document review on-site meaning in the auditee or premises, or you can also do it off-site – in your own office – it really does not matter, all you are doing is reading the documentation."

    Is this really correct? This documentation is or can be classified and shouldn't leave the premises? I found that statement a bit strange.

  • ISMS TIER 1 - 4 Documents

    ISO 27001:2013 has categorized documents into Tiers. What are the Tier1, Tier2, Tier3 and Tier4 documents/definitions.

  • Incident Response and Business continuity Disaster Recovery instructor led training

    I am really looking for instructor led training on Incident Response plan and Business continuity Disaster Recovery planning. Could you help me with that?

  • Business impact analyses questionnaire

    I requested some information regarding our ISO Business impact analyses questionnaire and what the correct process would be the complete these for our implementation. The response we got was that only document business process should be documented, but we are now again at a point in the process where we are not sure which processes should be listed and if we need to document things like physical links at our office not available.

    The scenario I can share with you is that we have an office where some of our core systems are located.

    1 - What impact analyses should I document?

    2 - Do I do a granulate approach and document things like power outages or does things like power outages become a prerequisite to a process not being available.

  • Clause 5.1 / internal audit

    First I would like to thank you, for all Advisera answers I have received. Answers have been top quality.

    I have questions about clause 5.1. and internal audit preparations.

    I am conducting an internal audit before certificate audit and doing my check list. What kind of hands-on evidence I can look for the compliance of clause 5.1, and what kind of questions use, to find and verify them?

  • ISO 27001 questions

    We would be happy to accept your free offer and have our documents checked by you. I am sending you our current status.

    In particular, we have the following questions:

    1 - We are a translation company and have only identified one general entry - our customers - in the list 02.01 of statutory official contractual requirements. Could you tell us if this is enough?

    2 - We obtain standard services from our service providers and do not always negotiate individual contracts. Is it sufficient for our certification if our service providers are themselves certified according to ISO 27001?

    3 - As a small company, management and IT have double roles of responsibility, so that the separation of duties is not always possible. Did we take this into account correctly in the documents? How is this to be dealt with in general?

Page 3 of 461 pages