ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Audit and Risk Management

    I'm in the process of an audit for license and patch management for an internal audit...Which documentation is needed for such audit process?

  • Swot of iso 27001

     In order for me to understand the iso 27001 better can you provide me with a SWOT analysis of the ISO with example for large organisations (1 million+) member voting systems?

  • Advice on ISMS implementation for Group and subsidiary companies

    Please I need some professional advice

    A holding/group/mother company with other legal subsidiary companies want to implement ISMS for the group with the scope including the subsidiary companies.

    The Group company and the subsidiary companies are all located at the same place

    The same staff works for both the Group company and subsidiary company

    They both share the same assets.

    But the subsidiary companies offer different products and services

    What do you suggest should be the best way to implement the ISMS towards achieving Certification?

  • Questions about risk

    1. What is the expected risk level of the residual risk? Assume acceptance is below 3, should a residual risk level be more than 3 having implemented all controls

    2. Clause 6.1.1 requires actions to address opportunities.
    a. What are opportunities -  in relation to ISMS
    b. What are the actions to address opportunities

    3. What determines likelihood of occurrence in risk assessment ? Is it the frequency for occurrence of an activity/process?

  • CFO exclusion from ISMS Scope

    I’d appreciate your help/reassurance on a query regarding our ISMS scope.


    For our ISMS scope, I have added in an organisation chart. On the basis of your advice stating that 3rd parties are out of our remit of control I have made our CFO (he is an independent consultant) and shareholders out of scope.


    In the section, exclusions from scope, are we okay to exclude the CFO/Finance function and shareholders from the scope?

    Thank you in advance for your guidance on the above,

  • how to reference clauses and Annex A controls in an ISO27001 internal audit report

    Since the standard is licensed, how can we appropriately reference/include ISO27001 Annex A controls and clause requirements in an internal audit report to show which control/clause is not being met?

  • Example of a completed Risk Assessment Table

    Do you have an example of a completed Risk Assessment Table I could look at please. I am interested particularly in the numbering system. It seems to me the numbering should run by asset not by vulnerability, so 1.1, 1.2 etc until next asset.

  • List of documents for BCMS

    Es factible contar con una lista de documentos secuencial solo para SGCN.
    Te comento que actualmente ya contamos con un SGSI implementado e iniciaremos en breve la implementación de nuestro SGCN. Respecto a los documentos, adquirimos el paquete completo para que nos ayude a complementar el SGSI que actualmente tenemos.

  • Questions for applicability

    We have a few questions regarding applicability in the toolkit.

    1) Appendix 1 – List of Legal, Regulatory, Contractual and Other Requirements

    Could you provide some guidance how we can tackle this? 
    2) STATEMENT OF APPLICABILITY - Applicability of controls . 

    Justification for selection/ non-selection
    Control objectives
    Implementation method
    We'd also appreciate some more guidance regarding this subject. 


    Could you please help us understand why it is not allowed to do the following with BYOD connect via Bluetooth to any kind of device?
    4) Risk Assessment 05.2_Appendix_2_Risk_Treatment_Table_27001_EN and 05.1_Appendix_1_Risk_Assessment_Table_27001_EN and
    How can we ensure we include all applicable risks? From your experience, is it enough to keep the risks suggested from the toolkit? Do you have any techniques to assess the risk ourselves?

  • ISO 27001

    I need an expand scope of applicable standards and international regulations, and a clear statement of the goal, the intended scope of the study, a clear calendar schedule, and each artifacts on international requirements on personal data protection, telecommunications, incident investigation.

Page 4 of 411 pages