ISO 27001 & 22301 - Expert Advice Community

ISO 27001 vs COBIT

ISO has certification for Organizations such as ISO 27001, do the COBIT is competitor and also have certification for Organizations like ISO?

ISO 27001 single templates

Thanks for your mail - I actually noted afterwards that I was able to view the docs.

Can you please assist with which template is the correct one? To cover the following according to the SABS standard document:

Clause 4.1. 
4.1 - External and Internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome/s of its information security management system
And 
Clause 4.3
Determining the scope of the information security system

If you can guide me in the right direction - I will purchase the single documents as I go along.

Documentation request

We got a peculiar request from a customer. Although we are ISO27001 certified a customer is insisting that we provide a full list, the following documents.

It is the first time we are asked of this, and I was curious if you came across it in the past and have any ideas on how to proceed.

Thank you

·  Context of Organisation

·  ISMS Scope

·  ISMG Governance

·  External & Internal Issues and Interested Parties

·  Risk Assessment and Treatment Methodology

·  ISMS Risk Assessment: Asset Register and Risk Treatment Plan

·  Information Security Policy

·  Training Matrix

·  ISO 27001 Training & Awareness Schedule

·  Information Classification and Handling Policy

·  Monitoring and Logging Policy

·  Corrective Action Register

·  Access Control Policy

·  Acceptable Use Policy

·  Production of Software Policy

·  IT Procurement and Third Party Security Policy

·  Incident management policy

·  Intellectual Property Policy

Clause 4.1 in Conformio

How to satisfy ISO 27001 standard clause 4.1 in Conformio? Please advise.

Question on risk assessment

One thing that I cannot understand is why we do need to maintain 2 separate documents, 1 for Risk assessment and 1 for Risk treatment. Let’s say, I have a Risk assessment excel spreadsheet containing 500 rows representing each risk which I maintain and keep updated accordingly (risk identification+ analysis + calculation is always completed).

Now I need to transfer all those 500 Risks to another excel spreadsheet to determine what are those appropriate controls that can put in place in order to treat risks respectively.

My question is whether I can have a merged/combined document to maintain including for both tasks. I have my Risk assessment excel document with all required columns (risk identification+ analysis + calculation, etc.), and what I need is to add another 5-6 extra columns required by the Risk treatment plan and have them all in one.  Is this right?

ISO 27002

I purchased ISO 27001 TOOL KIT IMPLEMENTATION from your team last year and has been very useful.

Please ill like to get a professional advice. I am currently implementing ISMS FOR a client. using ISO 27001 FRAMEWORK. Now, is it advisable to use the new ISO 27002 CONTROLS released February 2022 or i Should stick to the older version.

Control 6.6 – Confidentiality or Non-Disclosure Agreements - NDA compliance

Hi, I have a question on how to audit the following:

The company (Xcompany) where I work has acquire another company (Ycompany), so now (Ycompany) is part of (Xcompany), in this way, their employees needs to sign new NDAs with (Xcompany) right? or if they already has NDAs signed whit (Ycompany) it is no necessary?

Thank you for your help

Backup Policy and the Cloud Storage

Concerning the backup policy provided in the Toolkit, the company's data is stored at **** Cloud which we obviously do not manage.

The backup is done automatically and in case of deletion of files/folders, we just have to restore the deleted files/folders thanks to the web interface.

Do I have to indicate this in the backup policy?

ISO 27001 Stage 1 & 2 Audits

I have been advised that UKAS rules state, following a Stage 1 audit, the Stage 2 audit must be carried out within 3 months of the Stage 1. Please could you confirm if there is indeed a time limit between the audits, and if so, advise what this time limit is.

Organizational chart - ISMS

I am the Quality Manager at *** and I am in charge of implementing ISO 27001 in the company. For this purpose, we have purchased the ISO 27001 Toolkit from Advisera, exactly ISO 27001 Documentation Toolkit English (with extended support). 

In our case, we have a question that we would like to clarify with you, as we are sure you have seen more cases like this in many other companies.

*** is a small company (around 20-30 people) that is in a growth and expansion phase (in the next few years). As we are a manufacturer of custom-made medical devices, we have a Quality Management System according to ISO 13485 (applicable to medical device manufacturers) in place in the company.

Now, in defining and implementing ISO 27001 using the materials provided by Advisera, we see that there are many overlapping aspects between ISMS and QMS.

In all the material that Advisera provides in the ISO 27001 toolkik you mention the figure of the CISO or Information Security Manager. In *** all these tasks are being managed by the QARA Manager, which is me in this case.

Does ISO 27001 require the presence of a CISO or an Information Security Manager in the organizational chart?
What are the roles that must appear in the organizational chart by ISO 27001 requirement and that we should include in the current *** organizational chart?

Could all these roles be covered by Spentys’ current QARA Manager?

What do you recommend in this regard?