ISO 27001 & 22301 - Expert Advice Community

ISO sign off on staff policy

ISO 27001 requires that staff sign off on policies that have been distributed to them and that are applicable to them.
 
I couldn’t find a mechanism in Conformio that provides a mechanism for this.

Can you please let me know how to handle this requirement?

Risk Management

Hi Dejan

Kindly assist.

I Am consulting on ISO 22301 for a company.

I want to buy your Risk Management tool kit comprising of the following:

1. Risk Assessment & Risk Treatment Methodology  = $39.0

2. Risk Assessment Table = $24.90

3. Risk Treatment  = $14.90

4. Risk Assessment & Treatment Report  = $14.90

5. Statement of Applicability = $39.90

At the point of adding 2 to 5 on the payment menu, the reference was to ISO 27001. (please see attached)

Does it mean there is no difference between Risk Assessment in ISO 22301 and Risk Assessment in ISO 27001? Can I use the tools for ISO 22301 even though they are tagged for ISO 27001

Kindly guide me on this before I make the purchase.

Clause reference

I have a quick question regarding the clause reference. I am assuming that first column references the ISO standard and then during the audit in the evidence section I map the corresponding control?

For example, if the organization does not have suppliers specified in A.5.22 but in A.15.1 I just map the evidence to the question?

ISO 27001 A.8.11

Hi Dejan,

In the new ISO 27001 control for A.8.11 Data Masking. Is there a need to mask or obfuscate the PII data in the internal system used by the company despite the implementation of role-based access?  When the data is actively used daily, how do we balance business operations and security implementation for data masking?

Thank you and I appreciate any advice on this.

Regards, 

Liza

Controls 10.1.1 + 10.1.2

1 - Working for a company that does not store any of the data in house and handles software development in github, how would we apply cryptography?

2 - I understand you need certain processes to include encryption, but I don't quite see where I could use it.

3 - We use SSH tunnels for an encrypted connection from computers into secure coding environments, but how could we use this in our policy?

Register of requirements: Granularity of entries

Regarding the Conformio Register of requirements: I don't understand how granular the entries should be (recommended or required by the ISO27001:2022 standard). We have a lot of contracts with different customers but the contracts themselves have the same content. Should we create a new entry for every customer contract or would it be sufficient to create a general entry for all contracts with the same content? Or should we even create a new entry for every requirement of each contract of every customer?

Privacy Act in Canada

We are based in Canada but have clients and, to some extent, operate in the US, Australia, and the UK." Is it sufficient to specify conformance with PIPEDA as defined in Canada's Privacy Act or do we have a separate requirement in each country we operate in? Thanks

Server's decommissioning

Is there any standard regulation to treatment from Server's decommissioning? I'm structuring the project scope and collecting data information regarding the regulations and information requirements that need to be observed before the definitive information discard. The project will be developing the new process to right server's decommissioning standard to be applied to all types of servers.

BCM policy

We bought your set of documents for the ISO27001 certification and are missing a template for business continuity management.

The auditor requires it (more than the emergency recovery plan) according to A.17.1.

Do you have something we can use?

Data Center and Disaster Recovery Site

I need to see information on how far apart a data center and a disaster recovery site should be. Can I find this in an ISO 27001 documents?