ISO 27001 & 22301 - Expert Advice Community

ISO 27001:2013 (Information Security Policy / IT Security Policy)

Under ISO 27001:2013 Mandatory documents, both the Information Security Policy and IT Security Policy is listed. 

We are trying to discern if both policies are required or if we can eliminate the IT Security policy and just use the Information Security Policy. 

Is it feasible where we can insert controls from the IT Security Policy into the Information Security? 

Please advise on best approach under the Mandatory document requirements.

Using ISMS results to prove SOX-ITGC controls

Can I use ISMS results to prove SOX-ITGC controls?

ISO27001 13.1.1 + 13.1.2

I am working with a company based in the cloud (with no company-owned networks). What would controls 13.1.1 and 13.1.2 look like for us if this is the case? We are working with companies that have proper policies in place (AWS, Github, etc.), but how could I prove to the auditor that we are compliant?

7.4 Physical security monitoring

First of all, congrats for you very well conducted webinar.

I’m analyzing the articles that you shared yesterday, I would like to clarify one thing.

In the article  “Detailed explanation of 11 new security controls in ISO 27001:2022” we have the Topic “Documentation”:

I was guessing to add the details about “Physical Security Monitoring” inside the “Access Control Policy”, once this document should also cover the Physical Access.

Please, let me know your thoughts.

New control names

Hi Dejan just wanted to send you a thank you e-mail regarding the webinar today it was the best explanation I have come across since the new ISO 27001: 2022 emerged. One thing I wanted to, hopefully others could benefit from this too. I have read somewhere the new control names will be divided into: 

1. Detective Control
2. Corrective control
3. Preventive control

Is this true? And is this just a general description or mandatory part of the change as in do these names have to mentioned after each control on the SOA 

Gap analysis results

We have recently undergone a Gap Analysis with NQA ready for our ISO certification, and some significant failings were discovered during the process.

The key bits were the difficulty in identifying / linking documentation to clauses, missing clauses without explanation and missing information on areas provided.

Firstly, as part of our gap analysis, the processes followed within Conformio did not provide any documentation to Clause 4 of the standard, nor did we get any system assistance in completing these clauses. There was no interested parties section beyond the contractual and legal requirements, thus we were unable to evidence clause 4.2.

Secondly, the Risk Assessments failed to provide a CIA category for any risks. We are told this is mandatory and as such, the Risk Register provided does not meet the requirements of ISO.

Audit questions

Can you please help me to get it clarified on below , I had asked this in one of the QnA session your webinar

One of my client is outsourced the IT and Software Development, I have to do the internal audit for this client, in scope document they have mentioned as entire organization. In that case do I have to audit the IT department
One of the client is operating on Co-working space, Physical, access, IT and Networking security is Managed by the provider, In this scenario do the client needs to have access, network, physical security polices and procedures

ISMS scope

Regarding the ISMS Scope Document, For the location, we are a remote company with a virtual address, we have an address for our data center, and if we should include it. Also, what should we exclude? we give laptops to our employees

Question about audit

I am responsible to do audits in Tisax implementation, in this case, using an audit checklist since my point of view I need to have ISO 27001 is it right?