ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Asset inventory

    Hi! I'm a customer with you at the moment. I bought the ISO 27001 template package. One quick question:

    Should the Asset Inventory spreadsheet and the Risk Assessment spreadsheet always reflect each other? I mean should they always have the exact same assets?

    Currently, in my Asset Inventory, I have a "Dell XPS17" and a "Dell XPS15" but in my Risk Assessment I just wrote "company-owned laptops".

    Does it make any difference?

  • Data Backup and Restore

    Does the backup and restore process should be encrypted?

    I Mean the tapes itself.

  • Control diversification

    Hi, I'm a customer using your template package for ISO 27001.

    Quick question for the experts:

    I've read this thread in the community ( but I'm still having some difficulties.

    We're a very small organization with a scope of 3-4 persons. We've never had a security incident. I know that you've added the "Control objective" column to make it practically easier, but I start to wonder if we should completely remove the column. The only control objective I can think of is "We want to continue having 0 (zero) security incidents". And sure, I can put in "We want to have zero security incidents due to (insert e.g., lack of patching, poorly managed access rights etc.)

    Currently, I've written the same thing in almost every control (formulated as a question though):
    - Has any incidents occurred due to failed control with access rights?
    - Has any incidents occurred due to the lack of security measures in the transfer of physical media?

    I cannot figure out how to diversify it. Can I completely ignore the control objective column and then just go by "We want to keep having zero security incidents. If we register any - how many? And due to what?" and then look to the weakness.

  • 10.1.2 Key management

    I wanted to ask how I can check annex 10.1.2 Key management during the internal audit session what's needed to be satisfied these requirements.

  • Human Resources Policy

    My new organization has a lot of Human Resources policies like diversity and inclusivity policy, Car allowance policy, Dress code policy, etc., while ISO 27001 Human Resources security policies deals only with prior, during and after employment security.

    1 - In designing an ISMS to ISO 27001 standards, are this non security related policies included or excluded?

    2 - Another question. My new organization uses the Plan-Do-Check-Act (PDCA) to write individual security policies like the business continuity management policy etc.
    My understanding is that the PCDA model is for the structure of the ISMS and not for individual policies. Am I wrong?

  • Encryption for Backup/Restore

    1 - Do we need to encrypt all data during the backup/Restore process or not?

    2 - If yes , do we need to encrypt all the data or we need to classify the data?

    3 - Who will decide what data should be encrypted?

  • Disaster Recovery Plan

    1 - May I ask, is the Disaster Recovery Plan a good control to start with, and the most important one. Also, it consists of many other controls that would then be covered at the same time?

    2 - I suppose our Head Software Developer who also is in charge of Server Maintenance, would that be the person to document these steps.  As it is much more complex than just “copy-paste install backup.

  • Vulnerability Assessment & Penetration Testing policy

    I can't find Vulnerability Assessment & Penetration Testing policy. I don't see it included in A.12.1_Security_Procedures_for_IT_Department_27001_EN.

  • 15.1. Control Document

    I have previously had advise that individual control documents are available, which i have reviewed, but our auditor has specifically asked to develop a control document for 15.1.3 Information and communication technology supply chain, we already have a 15.1.1 and a 15.1.2. The supplier security policy appears to be more related to 15.1 but would it also cover policy required for ICT supplier arrangements as required in 15.1.3

  • Security Objectives

    Conformio gives pre-defined SO's 

    a. Is it possible to create customized SO's ?

    b. For predefined SO's 'Decrease the costs of complying with information security & privacy regulations by  x% because of ISO 27001 implementation' what is the meaning ? Where is the guidance/ metrics to measure this ?

    c. Is there a specific reason why only these many predefined SO's are provided ?

    Looking forward to your kind response.

    Thanks & Regards


Page 3 of 469 pages