Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends November 28, 2022
Use promo code:

ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Privacy Act in Canada

    We are based in Canada but have clients and, to some extent, operate in the US, Australia, and the UK." Is it sufficient to specify conformance with PIPEDA as defined in Canada's Privacy Act or do we have a separate requirement in each country we operate in? Thanks

  • Server's decommissioning

    Is there any standard regulation to treatment from Server's decommissioning? I'm structuring the project scope and collecting data information regarding the regulations and information requirements that need to be observed before the definitive information discard. The project will be developing the new process to right server's decommissioning standard to be applied to all types of servers.

  • BCM policy

    We bought your set of documents for the ISO27001 certification and are missing a template for business continuity management.

    The auditor requires it (more than the emergency recovery plan) according to A.17.1.

    Do you have something we can use?

  • Data Center and Disaster Recovery Site

    I need to see information on how far apart a data center and a disaster recovery site should be. Can I find this in an ISO 27001 documents?

  • Offshore Requirements

    I have some customer requirements that I want to ask if they are already included in my scope or not. One set calls out Offshore requirements. We are a virtual company and everyone works remotely. I didn't plan to separate offshore vs. domestic work. Is that typical? Please let me know if these requirements will be fulfilled: I think these would be, but I don't quite understand Incident Response vs. Incident Plan vs. Incident handling - aren't these all covered by the same Policies and Procedures and part of the overall plan? IR-1.1 Develop policies and procedures for Incident Response. IR-6.1 Report security incidents to appropriate personnel or government authorities in a timely manner. IR-8.1 Develop a comprehensive Incident Response Plan for the organization. IR-5.1 Implement mechanisms for tracking and documenting security incidents. IR-4.1 Develop an incident-handling process for the organization. Does this have to be separate? Offshore-48 Complete a security assessment of the organization's offshore location(s) and/or third party's offshore location(s) annually. Offshore-20 Requires antivirus software to be active and up to date on workstations.

  • ISO 27001 compliance in a system

    My company is a Telco. We are going to buy a revenue assurance and fraud management (RAFM) system. That system will take data from other Telco source systems (like switch, billing system etc.) and analyze for us and help us to find data exceptions. Is it a must that our RAFM vendor system comply with ISO 27001 certification. Or we can consider that it is simply a monitoring aiding tool and ISO compliance is not a must. Kindly advise. Thank you

  • Compliance with ISO 27001:2022

    Hi Dejan, 

    Thank you for your email. 

    I have a few questions that you might be able to answer with regards to what we currently have and what do we need to fully comply with ISO 27001:2022 

    Our current situation are follows: 

    ISO 27001:2013 is valid from August 2021 to August 2024 
    First Surveillance/Maintenance Audit was completed 
    2nd Surveillance/Maintenance Audit is schedule for 2023 
    Recertification Audit is scheduled for 2024 

    The question is 

    Should we start implementing ISO 27001:2022 after the 2nd Surveillance/Maintenance Audit for ISO 27001:2013 and then apply for Certification Audit for ISO 27001:2022 in 2024? 


    Should we start implementing ISO 27001:2022 immediately and then apply for Certification Audit for ISO 27001:2022 in 2023? – is this even an option? Or we need to complete the 3-year cycle 

    Staff training course/certificate completed 
    ISO 27001: 2013 Lead Auditor Course 
    ISO 27001:2013 Internal Auditor Course 
    The question regarding this courses/certificate is in order to have ISO 27001:2022 Certification we will just need to take and course+exam on ISO 27001:2022 Foundation Course? 

    For example: 

    ISO 27001:2013 Lead Auditor Course + ISO 27001:2022 Foundation Course = ISO 27001:2022 Lead Auditor Course Certificate 

    ISO 27001:2013 Internal Auditor Course + ISO 27001:2022 Foundation Course = ISO 27001:2022 Internal Auditor Course Certificate 

    Also, last year 2021, our company purchase ISO 27001:2013 toolkit. Is there an upgrade option to ISO 27001:2022 and/or guidance on what document(s)/process(es) we need to change or document(s)/process(es) we need to create. 

  • What records to create for backup restore?

    Hi, we are doing backup restore tests but we are unsure what records we should produce. Producing records of backup runs is easy, it is in the backup logs. But the backup restore test involves taking a backup copy, restoring it and then looking at the result. The person who did the restore can say it looks ok, all files are there and validate last DB entry but this control needs to generate a record, report or screenshot of some kind so we can be sure it was tested according to schedule.

    I would be happy if you could shine some light to the best practice in this area. Thank you and best regards!

  • Scope of application of quality standards

    What is the scope of application of the quality standards because I don't know where to consult them.

    NTC ISO/IEC 27000, NTC ISO/IEC 27001:2013, NTC ISO/IEC Guide 73:2002


  • ISO 27001:2022

    I just wanted to confirm with you some information regarding the dates that organisations can start certifying to the new issue of ISO 27001:2022. The transition period diagram that you have published in your blog states that organisations can start certifying to the new standard as of the 25/10/2022.

    Does that mean Certification Bodies are already certified to the new standard and the Auditors are already qualified to audit organisations against the new standard's clauses and controls?

    Or is it in fact a mistake in the transition diagram and the date should read 25/10/2023?

Page 3 of 517 pages