ISO 27001 & 22301 - Expert Advice Community

Offshore Requirements

I have some customer requirements that I want to ask if they are already included in my scope or not. One set calls out Offshore requirements. We are a virtual company and everyone works remotely. I didn't plan to separate offshore vs. domestic work. Is that typical? Please let me know if these requirements will be fulfilled: I think these would be, but I don't quite understand Incident Response vs. Incident Plan vs. Incident handling - aren't these all covered by the same Policies and Procedures and part of the overall plan? IR-1.1 Develop policies and procedures for Incident Response. IR-6.1 Report security incidents to appropriate personnel or government authorities in a timely manner. IR-8.1 Develop a comprehensive Incident Response Plan for the organization. IR-5.1 Implement mechanisms for tracking and documenting security incidents. IR-4.1 Develop an incident-handling process for the organization. Does this have to be separate? Offshore-48 Complete a security assessment of the organization's offshore location(s) and/or third party's offshore location(s) annually. Offshore-20 Requires antivirus software to be active and up to date on workstations.

ISO 27001 compliance in a system

My company is a Telco. We are going to buy a revenue assurance and fraud management (RAFM) system. That system will take data from other Telco source systems (like switch, billing system etc.) and analyze for us and help us to find data exceptions. Is it a must that our RAFM vendor system comply with ISO 27001 certification. Or we can consider that it is simply a monitoring aiding tool and ISO compliance is not a must. Kindly advise. Thank you

Compliance with ISO 27001:2022

Hi Dejan, 

Thank you for your email. 

I have a few questions that you might be able to answer with regards to what we currently have and what do we need to fully comply with ISO 27001:2022 

Our current situation are follows: 

ISO 27001:2013 is valid from August 2021 to August 2024 
First Surveillance/Maintenance Audit was completed 
2nd Surveillance/Maintenance Audit is schedule for 2023 
Recertification Audit is scheduled for 2024 

The question is 

Should we start implementing ISO 27001:2022 after the 2nd Surveillance/Maintenance Audit for ISO 27001:2013 and then apply for Certification Audit for ISO 27001:2022 in 2024? 

or 

Should we start implementing ISO 27001:2022 immediately and then apply for Certification Audit for ISO 27001:2022 in 2023? – is this even an option? Or we need to complete the 3-year cycle 
  

Staff training course/certificate completed 
ISO 27001: 2013 Lead Auditor Course 
ISO 27001:2013 Internal Auditor Course 
The question regarding this courses/certificate is in order to have ISO 27001:2022 Certification we will just need to take and course+exam on ISO 27001:2022 Foundation Course? 

For example: 

ISO 27001:2013 Lead Auditor Course + ISO 27001:2022 Foundation Course = ISO 27001:2022 Lead Auditor Course Certificate 

ISO 27001:2013 Internal Auditor Course + ISO 27001:2022 Foundation Course = ISO 27001:2022 Internal Auditor Course Certificate 

Also, last year 2021, our company purchase ISO 27001:2013 toolkit. Is there an upgrade option to ISO 27001:2022 and/or guidance on what document(s)/process(es) we need to change or document(s)/process(es) we need to create. 

What records to create for backup restore?

Hi, we are doing backup restore tests but we are unsure what records we should produce. Producing records of backup runs is easy, it is in the backup logs. But the backup restore test involves taking a backup copy, restoring it and then looking at the result. The person who did the restore can say it looks ok, all files are there and validate last DB entry but this control needs to generate a record, report or screenshot of some kind so we can be sure it was tested according to schedule.

I would be happy if you could shine some light to the best practice in this area. Thank you and best regards!

Scope of application of quality standards

What is the scope of application of the quality standards because I don't know where to consult them.

NTC ISO/IEC 27000, NTC ISO/IEC 27001:2013, NTC ISO/IEC Guide 73:2002

Standard ISO IEC 27005 – 2009, COLOMBIAN TECHNICAL STANDARD NTC-ISO/IEC 27001

ISO 27001:2022

I just wanted to confirm with you some information regarding the dates that organisations can start certifying to the new issue of ISO 27001:2022. The transition period diagram that you have published in your blog states that organisations can start certifying to the new standard as of the 25/10/2022.

Does that mean Certification Bodies are already certified to the new standard and the Auditors are already qualified to audit organisations against the new standard's clauses and controls?

Or is it in fact a mistake in the transition diagram and the date should read 25/10/2023?

Risk Assessment

As part of our Risk Assessment, I am using your tool kit. Is there a document or template that explains what threats and vulnerabilities are associated with what assets?
What should I choose from your list of threats and vulnerabilities for ***, which is cloud software?

HIPAA vs ISO

Hi! I have an app that is HIPAA compliant and hosted in the US. I would like to open it up to patients in Israel and am trying to figure out what it takes to become ISO certified and what part of that is already covered by HIPAA. It is a mental health app and we store personal data, although nothing about physical health. Thanks!

ISO27001 clause & controls alignment

I would like to know which ISO 27001 annex A controls relate to which 27001 clauses, for example clause 4 is covered by control A??? Or is it not that simple?

ISO 27001 Certification

Please be so kind as to enlighten me regarding the following:

As a Certified ISO 27001 and ISO 9001 Lead Auditor, what “Document” would I be required to provide a Client as to once I have Completed, for example a Conformio Implementation to the level of providing Statement of Applicability and assurance they are Compliant and ready to apply for a Certification Audit?