ISO 27001 & 22301 - Expert Advice Community

ISO 27001 Scope Document

SOA Control Objectives

I am reviewing the “Statement of Applicability” document within the 27001 2022 toolkit and noticed that under the SOA table in para. 3. Applicability of controls there isn’t any control objectives.

Can you confirm that the controls listed in the 27002-2022 are the same controls used in the 27001 2022.

Add Further Reference Documents

Hi firstly, thank you for creating a great product. We have a few further reference documents that we would like to include as part of the ISMS. These are related to our regulatory requirements, we should include the Australian Governments Information Security Manual (ISM) and Right Fit for Risk (RFFR). Can I please confirm the best way to add these two key documents?

ISO 27001 - Question nonconformities

We have a question about non-conformities.

We are now awaiting the results from our internal audit, and wonder what of their findings that should count as non-conformities (if any)? Is it only those with risk level "high" or "Critical" that should count as non-conformities, and the other ones as regular risks? Or how do we know how to classify the findings?

Supplier Security Policy

I am currently reading over the Supplier Security Policy and wanted to check something. Under the "Monitoring and review" section, it mentions auditing the supplier or auditor once a year. What exactly is meant by this? And is it required?

Internal Audit Questions

1. On the first management review meeting should we discuss about the Internal Audit  

2. Should the project manager gather all pieces of information during the project implementation

ISO security framework or standard for IoT

Curious if there's any ISO security framework or standard for IoT like CSA? Thanks

A.18.1.1 Identification of applicable legislation and contractual requirements

A.18.1.1 is good to go (just reference the policy and note that due to sensitivity and attorney client privildge, the policy was retained)

To satisfy the control, is it enough for an organization to just state that they identify & manage the relevant legislative statutory, regulatory, contractual requirements in their information security policy document? I am trying to understand if other evidence like a separate defined list of laws or at least an email from their legal department is absolutely necessary to fulfill it. For context, what if the organization has stated that "due to sensitivity and attorney client privildge" they would not share anything more than that first statement to reference? Thank you.

Risk Assessment Question

Going back through the risk assessment, I had a question! When including the risks, are we supposed to come at it with professional skepticism? For example, we have a system administrator who is a great employee. We would never expect them to do anything malicious. BUT, when looking at the possible threat of "falsification of records", should I still list it as a threat? Even if it is very unlikely, it is something that someone in their position is capable of doing.

Requirements for MSP Company Regarding Supplier Security Policy

What requirements are there for an "MSP* - managed service provider" type of a company regarding Supplier Security Policy and Security Clauses for Suppliers and Partners? I am curious about the data exchange, as the only data exchanged was in the data servers and we are not sure if there is anything necessary for us to do in that regard.

* managed service provider (MSP) is a third-party company that remotely manages a customer's information technology (IT) infrastructure and end-user systems.