ISO 27001 & 22301 - Expert Advice Community

Infosec responsibility for BCP from an IT perspective

is it logical to have the IT responsivity on BCP led by the Infosec team?

Impact scale in BIA (ISO 22301)

Assuming that this is a corporation with some subsidiaries. HR and accounting divisions cover all subsidiaries. There are many departments within each subisdiary. Then the impact scale should be established for each subsidiary/ division and apply for all departments belonged or impact scale should be established at departmental level?

Question around contractual and legal requirements

Will the organisation have to go through each agreement and determine? If so, this may be a time consuming exercise?

ISO27001-cryptographic control

1 - Would you be so kind to explain to me why I see differences between your explanation here: https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/

and my paper version of 27001 - there is Cryptographic control defined under A.10.1.

I have iso 27001:2013

In your text there is mentioned A.8.24

2 - my second question is - can you recommend me any webpage where can I see any example of cryptographic control. thank you

Migration from the 2013 to the 2022 documents

I am currently working on a project with a client attempting to get them ISO 27001:2022 certified. The project started in mid 2020 and we took over the project late last year and are using the 2013 version of the templates however, we are not sure whether we need to use the 2022 transition documents to update their project or whether we can stay on the 2013 iteration of the standard for their certification later on in the year. 

If you need any further context regarding the project, please let me know.

Is your ISO 22301 toolkit covering ISO 22361?

Could you please confirm whether you have Implementation Document Toolkits for ISO 22361:2022 - Crisis management — Guidelines and ISO 22316:2017 - Security and resilience? Or is your ISO 22301 Toolkit covering these requirements?

Latest version of Statement of Applicability

What is the latest version of Statement of Applicability? Have the controls changed since 2017?

How to keep being trained and skilled and best way to find work?

I am currently reading it and so far you succeded in making the topic of ISO27001 easy to understand and apparently simple to implement even though I have no expeirnce on that.

I hqve pqssed the ISO 9001:2015 Lead Auditor CIRCA Exam but kind of new in the profession. I also passed the foundation vouse for ISO 27001:2022 with your company.

I find mysleft isolated and not sure how to practice to keep what I learnt but most importantly find work because I am currently unemployed in the Philippines.

What advise would you give me to keep being trained and skilled as well as to the best way to find work (middle-east, south-east asia or Europe)?

Question about tools and scope

1 - what are the tools free for e.g. evaluation and you have also a repository for the documents.

2 - Can you tell me which tools are free and where i can see the list of document templates and which are mandatory for the certification ??

3 - What is in case of a Scope Extension when I want to incorporate also SW Products ???

Help for maintaining a risk register

I'm helping a organisation with their ISO27001 work.

I've seen the instructions on how to setup the riskregister which seems easy but do you have any instructions on how to work with the risk register the upcoming years and cycles after certification. (our mutal customer has implemented and certified ISO27001 in yoor tool)

It looks like you need to go through the process all over again to reach the register and all risks seems to get the riskvalus zero after a plan.

I'm looking to se the progress of making the risk smaller, filter and work with all risks in prioritization order which the auditors demand.

Can you guide me to any information, manual or video on how to work with the register after implemantation? (Or are you supposed to extract it and work in excel or alike)