ISO 27001 & 22301 - Expert Advice Community

ISO 27001 and DORA EU

I am a compliance specialist in payment services and in light of upcoming DORA EU legislation i thought i might get an ISO certification. Am i correct that i need 27001? what type of certification i need?

Documenting scope of ISMS

X company outsourcing the main business product (source code, software application and maintenance) and IT services(office network, and maintenance) from Third party.  Now,  The X compay is trying to document its ISMS scope accroding to clause 4.3

The scope document must include Process and Services, Organizational Unit, Locations, and Networks and IT infrastucture. However, X company doesn't have IT department, and all IT and network related works go to Third party. X company doesn't own a single switch or server. 

My question is Do we need to include Third party's network diagram, IT infrastucture, servers, and network devices in the scope if these are touches our main product?

Questions about ISO 27001

1- How to do a gap analysis of the status of my management system against compliance with the ISMS requirements ISO 27001:2013

2- List of documents required to comply with ISMS ISO 27001.

3. How to develop an ISMS ISO 27001 communications program to interested parties, what should this program contain?

4. How to develop an ISMS ISO 27001 awareness program for stakeholders, what should this program contain?

5. How to develop a Management review procedure program

Scope question

I have a basic Scope question that I am trying to understand and thinking that you might be able to help me. 

1 - What do we really mean when we say that something is Included in the ISMS scope? Does that mean that everything in the ISMS then need to be applicable to the organization, site and processes in the scope? Or if not, this needs to be described in the ISMS somewhere? (for example if we have a sales process and this sales process doesn’t applies to an office that we say is in scope then we need to document this in the ISMS? 

2 - Could we exclude offices/departments from the ISMS because we don’t share the same Core processes if we at the same time share support processes (HR process and some IT processes for example) and steering processes?

Question about certification requirements

We are working on the implementation of the BIO (Baseline information security for Dutch governments) and are thinking of ISO27001 certification. I purchased the internal audit toolkit (Dutch) to get a better understanding of the work still to be done.

1 - Could you explain how the certification process is done and what the average costs are?

2 - Can Advisera do this certification?

3 - Can the certification being done online / remote or need to be done onsite? 

4 - What would be the best option to prepare ourselves and get certified? What budget should I take into account? Hope to hear or read from you soon. Thanks.

Training and awareness plan

I need help from your expert to know how to deal with the following chart and what is relaly expected in term of competencies and knowledge, as well as the related training.

Can you please provide me with some support?
 

Not Applicable Controls for SAAS Environment

I'm trying to figure out if certain controls should be listed as Not Applicable on an SOA for an organization that doesn't really manage their network in-depth as their users really just log into cloud-based services such as SharePoint & OneDrive remotely from home. To be clear, they do not have a need for anyone like a network engineer especially as they do not do anything like push patches to a production environment & simply do their due diligence on third-parties like Microsoft to make sure they are secure enough to communicate sensitive information. My question is whether the following should be Not Applicable:

A.11.1.1 - A.11.2.5: They seem to all be controls that would only be relevant in a physical environment where people would come in regularly & not one where there is not even a single office.

A.13.1.3: I'm not sure how segregated the network the standard wants for one that doesn't even require a network tech. I would consider sensitive folders being limited to specific privileged users, for example, being enough to satisfy this control for this context.

A.14.1.2 - A.14.1.3: I actually think both of these should be Applicable, but want to make sure. If users are allowed to connect from public networks & securely send sensitive emails, I think it makes sense to include them in the SOA. Confirmation from someone else here would be appreciated.

These are the controls I wanted to clarify the most. I'm sorry if I could've written this all out a little clearer & if these questions have already been answered. I tried searching for a list of controls that would normally be Not Applicable for a typical work from home company that doesn't really own any of their servers, but came up short.  If there is already a good filtered list someone already has of typical Not Applicable controls for a SAAS environment like this that would be immensely appreciated. Thank you in advance, this community's always so helpful!

Record Control Table and Approved Supplier List

Do we have to keep a record control table and approved supplier lists? Please advise.

Specific Documents

Hi team, I am sending this message to ask you which documents will be for clauses 4.1, 5.1, 6.1.1, 6.1.2, and 9.1.? I have done all the documents provided by Conformio but I can't find the documents above. Please support me on this issue.

A.8.2.2 Labeling of Information

Thank you for the meeting we had last Friday. As discussed, “A.8.2.2 Labeling of Information“ is not applicable for us while “ and I deactivated the control in SOA. However, in the following steps I see there is the “information Classification Document” which requires a responsible person and also defining the labels in 3.2.2 (Confidentiality levels – see the below table).

I’m wondering if there is a way to remove Labeling in this case or is it enough manually we have put Not Applicable (N/A). Or if we have A.8.2.1 then is mandatory to have A.8.2.2 as well?