ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Security Objectives

    Conformio gives pre-defined SO's 

    a. Is it possible to create customized SO's ?

    b. For predefined SO's 'Decrease the costs of complying with information security & privacy regulations by  x% because of ISO 27001 implementation' what is the meaning ? Where is the guidance/ metrics to measure this ?

    c. Is there a specific reason why only these many predefined SO's are provided ?

    Looking forward to your kind response.

    Thanks & Regards


  • Documentation of requirements

    I checked the document one by one against the ISO27001 Standard. Below is the clause that I could not find being addressed in your ISO27001 Documentation Toolkit.

    Could you please confirm whether the toolkit is tailored to the specific organization or environment?

    4.1 Understanding the organization and its context
    5.1 Leadership and commitment
    6.1 Actions to address risks and opportunities
    6.1.1 General
    7.1 Resources
    The organization shall determine and provide the resources needed for the establishment, implementation,
    maintenance and continual improvement of the information security management system.
    7.4 Communication
    8.1 Operational planning and control
    9.1 Monitoring, measurement, analysis and evaluation
    10.2 Continual improvement
    The organization shall continually improve the suitability, adequacy and effectiveness of the information
    security management system.

    A.5.1.1 Policies for information security
    A.5.1.2 Review of the policies for information security
    A.6.1.1 Information security roles and responsibilities
    A.6.1.2 Segregation of duties
    A.6.1.3 Contact with authorities
    A.6.1.4 Contact with special interest groups
    A.6.1.5 Information security in project management
    A.7.2.1 Management responsibilities
    A.7.3.1 Termination or change of employment responsibilities
    A.9.4.2 Secure log-on procedures
    A.9.4.4 Use of privileged utility programs
    A.9.4.5 Access control to program source code
    A.11.1.1 Physical security perimeter
    A.11.1.3 Securing offices, rooms and facilities
    A.11.1.4 Protecting against external and environmental threats
    A.11.1.6 Delivery and loading areas
    A.11.2.1 Equipment siting and protection
    A.11.2.2 Supporting utilities
    A.11.2.3 Cabling security
    A.11.2.4 Equipment maintenance
    A.12.1.3 Capacity management
    A.12.1.4 Separation of development, testing and operational environments
    A.12.4.4 Clock synchronisation
    A.12.6.1 Management of technical vulnerabilities
    A.12.7.1 Information systems audit controls
    A.13.1.3 Segregation in networks
    A.14.2.3 Technical review of applications after operating platform changes
    A.17.1.1 Planning information security continuity
    A.17.1.3 Verify, review and evaluate information security continuity
    A.17.2.1 Availability of information processing facilities
    A.18.1.3 Protection of records
    A.18.1.4 Privacy and protection of personally identifiable information
    A.18.2.1 Independent review of information security
    A.18.2.2 Compliance with security policies and standards
    A.18.2.3 Technical compliance review

  • Scope of ISMS

    Regarding the implementation of the ISO 27001 standard, we are in the process of determining the scope.

    Our company deals with the following areas:

    1. development of IT solutions,
    2. digitization of documents,
    3. hosting and
    4. by keeping a paper archive of our clients.

    It is clear to us that the first three areas need to be in scope. It is not clear to us whether there should be a paper archive in the scope.

    We would appreciate advice on this issue.

  • Terminating Employee

    I want to terminate one employee, as he doesn't adhere to his job responsibilities. how can I do without breaching our ISO 27001?

  • ISO 27001 implementation

    My questions relate to the ISO 27001 policy and the standards and guidelines for implementation. I need to know if the documentation toolkit is inclusive of written policies and standards for implementation.

    The A.12 Protection against Malware policy for example has the control objective of ensuring  that detection, preventive and recovery controls should be implemented.

    In my new organisation, the standards for implementing the Controls against Malware covers detection and prevention but makes no mention of recovery. Do I include recovery controls in the standard?

    Also some policies overlap into different clauses i.e. A16 Information Security Incident Management and A17 Information Security Aspects of Business Continuity, should there be a single policy that is used to reference a similar control or there should be different policies relating to the same subject?

  • BYOD

    In the BYOD Policy and the Secure development policy there are documents that are mentioned in the table such as "Procedures for secure information system engineering" and "Testing plan for security requirements and system acceptance" where can we find these documents?

  • Lead Auditor / Lead Implementer

    1. If someone enrolls for ISO 27001 Lead Auditor/Lead Implementer training at ISO accredited training provider and passes the exam, he/she/they will automatically be eligible to include ISO 27001 Lead Auditor/Lead Implementer at the end of his/her/their complete names?
    2. Related to question #1, how to ensure someone’s else credential in ISO 27001 Lead Auditor/Lead Implementer certification? Any URL to validate it?

  • Conformio questions

    1. Can I treat the Project Plan as a statement of intention? If we do not meet the deadlines we have set in the Project Plan, would this be a problem during certification?

    2. At the end of each document in the wizard, there is a set review cycle of 6 months or  12 months depending on the document. Why is this set in such a way and could I change it?

  • DevOps

    If my technology firm outsources DevOps, on an asset register (on which to base a risk register) do I need to know make and model of hardware/software used by the outsourcing organisation or is it sufficient to log that the outsourcing organisation represents a risk as they are a third-party?

  • Risk register

    "I deselected some controls to see where the residual risk would change from 0 to 1 to 2 to 3

    When I deselected some controls the residual risk went from 0 to 3, nothing in between.

    When I re-checked all of the controls the residual risk remained at 3.

    How do I reset the value back to 0?
    How do I get a residual value of 1 or 2?

    Asset: Network equipment
    Vulnerability: Rules for IT/communications equipment not clearly defined
    Threat: Interruption of communication services
    Which items to select?

Page 5 of 470 pages