ISO 27001 & 22301 - Expert Advice Community

A proof for fulfillment of requirement A.9.5.1 from ISO 27017

Our certification body has asked us to show the proof of implementation of A.9.5.1 from ISO 27017: "Risk assessment performed and mitigating controls to address risks imposed by customer-developed/supplied software in the cloud environment. (s1)"

Could you please give us some examples on what kind of proof we would need to present to the certification body?

Control A.11.2.4

When looking at control 11.2.4, does this apply to all equipment? Or, just equipment crucial to business continuity? We do not have any equipment owned by the company other than laptops, so we are just looking to see what we need to do in terms of servicing our equipment.

IT Security Policy too narrow

We are using the wizard to create the IT Security Policy, and we found that the context in the IT Security policy is too short and seems that it cannot meet the requirements of ISO 27001. For example, the context in the IT Security policy didn't make any references to SOA controls. How would you advise how we can complete the IT Security policy according to the ISO 27001 standard?

Scope definition

In your opinion if several registered entities with different natures of business (e.g., data operator, business optimisation consultancy, publication house, and a financial service provider) are part of a registered holding company, how do you determine the ISMS scope, would it pass an ISO audit if the holding company drafted an Acceptable Use Policy or Wi-Fi AUP with expectation of a "one size fits all" entities?

Or would each entity have to have a separate policy that aligns to the holding company's security objectives as far as it applicable to them on an individual basis?

27001 audits

How would I audit a large company who holds their ISMS processes at their head office but have 120 sub sites who mainly only supply construction work for the company. Head office is in *** and about 60 sub sites in ***. My point is, as far as the ISMS is concerned it is operated from the Head office who hold all the clients’ data.

Question from ISO 27001 Foundations Course

When talking about interested parties in clause 4.2. The video starts with saying it is Required to Document interested parties and their Information Security requirements. By the end of the video he says Clause 4.2 requires this analysis to be conducted but not documented. Can this be corrected or documented below the video? Many of the questions on the test cover what is required and not required to be documented, so this just adds to the confusion.

Links between 14001, 27001 and 45001

The real question is are there natural linkages between 14001, 27001 and 45001 that can be built upon in developing the operating systems environment that you want to achieve, and satisfy the requirements of the three in the process. This is what we need to ensure that we're asking the best questions and tasking the people in the right direction. We look forward, not at lagging indicators, but at guiding science.

Special Interest Groups

For ISO27001 a.6.1.4, what would be some examples of special interest groups?

SOA Based ISMS Manual

We have now taken the first steps, but are still waiting for the release of the ISO standard for 2022.

We also want to align our SOA with this new version. I intend to structure the SOA in such a way that I have a high-level document that only contains the controls and the selection including the justification - the document is also available to customers because they have already asked for it in the certification process. The 2nd level describes the requirements from the standard and our planned and implemented implementation in more concrete terms - this also results in a kind of "Security Management Manual".

I have attached an initial draft for A5 (Organizational Controls) (2022). What do you think of it, does this procedure suit an auditor?