ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Annex A controls to be applied while mitigating GDPR related risks

    We are ISO 27001 compliant and we have the GDPR controls in place as well. Last time we had an external audit, the auditor had suggested that while we mentioned the GDPR related risk in the ISMS risk assessment sheet the control numbers listed were not mapped correctly. Can you advise which of the Annex A controls are to be applied while we try to mitigate GDPR related risks? Also, do we have any other Annex for GDPR related risks controls?

  • Is ISO 27001 applicable to community non-profit with regards to ensuring continuity?

    Would this standard be applicable to a community non profit with regards to ensuring continuity?

  • Intermediary device security

    I am new to the ISO 27000 series, and I would like to know where I will be able to find intermediary device security requirements In order to adhere to the ISO standards.

  • Including WFH or teleworking in audit plan

    problem statement: an external auditor company did not include WFH or teleworking in their audit plan, but the company had already implemented an "ad hoc" WFH during this pandemic without consultation with employees and without government regulatory approval.

    1 - can external auditor still considered this compliant and an ISO/IEC 27001 certification be awarded to the company?

    2 - is there such thing as partial certification?

  • BIA ISO 22301:2019 department based allowed?

    Hi, is it still allowed to perform a BIA for whole departments with the new 22301?

    Our departments are:




    Customer Support


    22301:2019 says an activity is a set of tasks. 22301:2012 was an activity is a set of processes as far as i know.

    The problem is for example our IT does a lot of things like User Support with Ticket System, running servers, VMs, server applications usw., Performing Backups 

    But they are only 2 system adminstrators. So when i perform a BIA for

    User Support

    Running Servers

    Running Applications



    the main ressources are the same like IT-Administrators, Physical Servers...

    Makes no sense for me when i write a plan. 2 System administrators with x plans. 

    I also have the problem in other departments. They do a lot of things, but not all the time. Like 5-10 "Tasks/activitys" or how i should call it in each department. Same employees with partially the same applications. Ressources are desk, thin client, monitor, building and so on.

    So when i make a bia the department boss has to define how much employees he needs after a disaster and when. But that's impossible to define, when the employees that perform these task are the same. Furthermore as the ressources are the same we have x plans and after 1 plan is implemented the whole department can nearly perform all these 5-10 tasks/activitys.


    Best regars!








  • Details about Documents Assets

    I need details on documents assets. Do we consider the employee information spreadsheet also an information asset? Or is just the agreements, contracts etc, which are considered as assets? Please clarify.

  • ISO documentation

    When the organisation is certified with ISO9001 and 27001, and have all the required policies in place. Now that we are in a pandemic what are the documentation changes we need to make in order to accommodate changes like work from home, health and safety etc.

  • Asset movement register

    I want to make an asset movement register, but not getting a perfect idea of how I can make it?
    do we have any format!
    My only requirement is , in my company when some asset like laptop need to move on another department so that in such cases what register we need to made.

  • Root cause analysis and corrective action plan

    When we get ourselves checked for surveillance of ISO 27001 standard, we do receive non-conformities. We perform a root cause analysis and corrective action plan for the non-conformities and work to conform them. I would like to know if you have a template to perform the root cause analysis like the fishbone method etc.

  • Is ISO 27001 relevant for clinical data management?

    Is ISO 27001 relevant for clinical data management?

Page 3 of 411 pages