ISO 27001 & 22301 - Expert Advice Community

Is SOC mandatory for ISO 27001?

For ISO 27001 SOC is mandatory? I am referring Security Operation Centre

ISMS Scope Extension

Hi All

I have implemented ISMS in one dept. which is IT and got the ISO 27001 certificate for the IT dept. as scope. Now I need to extend the scope to other dept. like admin , Finance , Trading and other division of organization. How can I do that and what steps should I take so that the requirements from 4 to 10 are fulfilled and also I can select some controls in annex A. 

I have a doubt that I can extend ISMS in other dept. , can anyone please guide me how to extend this scope?

Thanks

Auditing suppliers - ISO 27001/Data Protection

We are using Conformio and also have your Data Protection kit. One thing common to both is the need to audit suppliers. Our supply contracts will not justify in person audits or even lengthy on line audits. I have your internal audit booklet, have been through your internal audit course a coupe of times and carried out an internal audit for our company. However, our supply contracts will not justify in person audits or even lengthy on line audits (like our internal audit).

Do you have any guidance/resource for carrying out a “lighter” audit e.g. checklists/questionnaires/guidance on what to look for? I can construct something but wondered if you had anything.

CCTV retention time

what does ISO say about CCTV retention? and how long is it ideal to keep footages per ISO standards

Cloud security risk assessment methodology

I have purchased ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit English (with live expert support).

I need expert help on how to use this documentation for cloud security risk assessment methodology and set of security controls to be used for security assessments during cloud adoption lifecycle in a customer environment. 

Audit of an application hosted on a private cloud virtual server

How would you perform an Audit of an application hosted on a private cloud virtual server?

Inquiry on IT Risk Assessment and IS Risk Assessment

I was assigned to do a review on company (financial institution) IT and IS Risk Assessment. However, i am confuse about the difference of both assessment? how will I start? And what about IT Risk Policy Manual and IT Risk management Framework is same?  how is this related on both ISRA and ITRA?

Choosing the right Certification Body for ISO27001 Compliance

Dear Team, I have across a certifcation body for my company's ISMS certification. The certification body is accredited by IAS. When i looked at the scope of accredition, the countries of operation is Quatar. I want me US entity to be certified. In this case is it advisable to go with the certification body?

COuld you guide on this.

Justification and control objectives

I am currently running back through the statement of applicability, and was wondering what is expected of us when it comes to the audit for the justification and control objectives column. I don't necessarily have legal or contractual reasons for justifying some controls, but they still apply. For example, we are fully remote so teleworking applies. Am I allowed to fill the justification in for this with the reason being that we operate on a remote structure?

Evidence of InfoSec Awareness Training

I would like to know what kind of evidence is acceptable for the InfoSec Awareness Training, is a report of all employees who completed the training enough?