ISO 27001 & 22301 - Expert Advice Community

Internal Audit Questions

1. On the first management review meeting should we discuss about the Internal Audit  

2. Should the project manager gather all pieces of information during the project implementation

ISO security framework or standard for IoT

Curious if there's any ISO security framework or standard for IoT like CSA? Thanks

A.18.1.1 Identification of applicable legislation and contractual requirements

A.18.1.1 is good to go (just reference the policy and note that due to sensitivity and attorney client privildge, the policy was retained)

To satisfy the control, is it enough for an organization to just state that they identify & manage the relevant legislative statutory, regulatory, contractual requirements in their information security policy document? I am trying to understand if other evidence like a separate defined list of laws or at least an email from their legal department is absolutely necessary to fulfill it. For context, what if the organization has stated that "due to sensitivity and attorney client privildge" they would not share anything more than that first statement to reference? Thank you.

Risk Assessment Question

Going back through the risk assessment, I had a question! When including the risks, are we supposed to come at it with professional skepticism? For example, we have a system administrator who is a great employee. We would never expect them to do anything malicious. BUT, when looking at the possible threat of "falsification of records", should I still list it as a threat? Even if it is very unlikely, it is something that someone in their position is capable of doing.

Requirements for MSP Company Regarding Supplier Security Policy

What requirements are there for an "MSP* - managed service provider" type of a company regarding Supplier Security Policy and Security Clauses for Suppliers and Partners? I am curious about the data exchange, as the only data exchanged was in the data servers and we are not sure if there is anything necessary for us to do in that regard.

* managed service provider (MSP) is a third-party company that remotely manages a customer's information technology (IT) infrastructure and end-user systems.

Implementation of ISO 27001 already having a QMS (ISO 13485) in the company

Dear Dejan,

I am in charge of implementing ISO 27001 in the company. For this purpose, we have purchased the ISO 27001 Toolkit from Advisera, exactly ISO 27001 Documentation Toolkit English (with extended support).

In our case, we have a question that we would like to clarify with you, as we are sure you have seen more cases like this in many other companies.

*** is a small company (around 20-30 people) that is in a growth and expansion phase (in the next few years). As we are a manufacturer of custom-made medical devices, we have a Quality Management System according to ISO 13485 (applicable to medical device manufacturers) in place in the company.

Now, in defining and implementing ISO 27001 using the materials provided by Advisera, we see that there are many overlapping aspects between ISMS and QMS. Our doubt is to know if you recommend us to maintain two totally separate systems or to unify them into one. What would be more recommendable for the company now and in the long term?

My question is focused on the fact that you provide us, for example, with a procedure for internal audits, documentation control, management review, which are similar to the ones we already have but with quite different approaches. So, we don't know if it would make more sense to have the ISMS totally separate from the QMS and have these procedures totally separate, each with its own Scope, or to try to unify to have a single procedure for internal audits, management review, document control...

What would you recommend in this situation?

Thank you very much in advance.

 All the best.

ISO 27001 Audit

Hi - I have a question regarding the ISO 27001 audit.

My company is going through this audit process.

We are currently going through a restructure in our People team and have 2 junior people in the department. We are in the process of recruiting an HR manager but will have the junior staff in the interim so no senior HR person within the business.

Would we fail on an audit because of this?

ISMS Roles and Organisation within Conformio

I’m trying to set up the ISMS organization roles for the ISO27001. Are there any guidelines about the necessary roles? Or some examples of how ISMS organization should look like and map to the Conformio roles?

Statutory, regulatory, and contractual requirements (clause A.18.1.1)

Hope you can help me with a question. On your website the document below is listed among the mandatory documents:

Statutory, regulatory, and contractual requirements (clause A.18.1.1)

However in the toolkit file “List_of_documents_ISO_27001_Documentation_Toolkit_EN” it is not mentioned.

Also I cannot find a template in the toolkit. 

Could you please confirm on whether this document is Mandatory or not and provide a template?

ISMS and BCMS

I am delighted to be able to start implementing the ISO 27001 standard. I have several questions as I begin to complete your documents:

1. In the document "PROCEDURE FOR THE CONTROL OF DOCUMENTS AND RECORDS", I have to choose between ISMS and SMCA.

When filling out the "PROJECT PLAN", I read one of your comments "Delete this text and the table if business continuity management is not part of the project."

Can we do both with your kit? Does choosing the ISMS automatically include the SMCA?

2.In the document "PROCEDURE FOR THE CONTROL OF DOCUMENTS AND RECORDS", we must define the Title of a post ensuring the conformity of the documents.

We are 5 in the company. I am the founder and I took charge of the file. Should I put my name, my post of "President" or other.

Can I put my role in this "Quality Manager" project?