ISO 27001 & 22301 - Expert Advice Community

Secure system engineering principles (clause A.14.2.5)

What kind of documents are required to satisfy this clause? We have principles in place, but I'm unsure of documentation needed.

Do we need an incident management procedure?

Our company has a good incident response plan in place, however it's a requirement of the ISO27001 that we also have an incident management procedure? Do we need this in addition?

Incidents

Below are the reasons why numerous incidents need to be removed:

1. We created just for testing.
2. We recently changed our incident management procedure in a way that incidents which are already put-in are not really relevant.

Since currently incidents from the Incident Register cannot be removed, What are we supposed to be doing now with respect to external auditing? We are quite concerned that numerous incidents contradict the incident procedure and can be marked as non-conformity which will cause a failure. ( Client wants to remove incidents under the incident register in Conformio, but for now, we do not have the possibility to delete)

Policies details

I'm having on how to rewrite our internal policies so that we can get ISO27001 certified. The main issue I'm having is deciding how detailed our policy needs to be. Basically, what are the minimum requirements to achieve compliance? For example, ISO27002, 11.2.8 unattended user equipment. We already automatically lock workstations after 5 minutes through group policy. Is that enough to comply with part a)? I'm worried that if I make the policies too detailed, we won't be able to have evidence for everything and we'll get struck with a non-conformity when we fail to present evidence. Going off the same example I gave you, is it simply showing the auditor that we've configured our group policy to do that enough evidence? Or will they ask for evidence in the form of logs? Something else that interests me is how to deal with remote employees when rewriting our policies? How do we enforce a clear desk policy if they're working from home?

Audit point

The auditor has indicated that there are a number of 2021 policies where we cannot demonstrate per date stamping in Conformio that the policies are valid/current in 2022. we don't want to change anything in the policies (e.g., information security policy), but how can we demonstrate that an older policy is still valid in 2022 given it is date stamped 2021.

Risk Management Questions

We received this question:

Me pueden ayudar con la siguientes Preguntas

1. Qué tanto nivel de detalle es necesario en el proceso de identificación y análisis de Riesgos de los activos de Información?, ya que por cada activo se podrían formular muchos riesgos.

2. se puede agrupar activos para hacerles el análisis de riesgos? tenemos muchos servidores con características similares y con posiblemente el mismo nivel de exposición a  las mismas amenazas.  Qué consideraciones se deben tener en cuenta para agrupar activos para facilitar  el análisis de riesgos?

3. Existe un catálogo de Amenazas predefinidos y/O recomendado que se pueda tomar como base para el análisis de los riesgos?

4. Existe un catálogo de Vulnerabilidades predefinidas y/O recomendadas que se pueda tomar como base para el análisis de los riesgos?

5. Existe un catálogo de Controles recomendados que se pueda tomar como base para plantear los controles ideales para el tratamiento de los riesgos identificados?

Best method of internal audit checklist

I have question concerning creating the best method of internal audit checklist. Is it open or close ended question given that your sample in advisera.com used was close ended question while your modules addressed using open ended questions.

ISO 27001Toolkit

Using CVSS as Risk Management Methodology for ISO 27001

ISO 27001 - Microsoft Office