ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Working from home

    Con su permiso, tengo una consulta. ISO cuenta con una norma que vincule seguridad de la información en el Teletrabajo o Home Working ?

  • ISO 27017 and ISO 27018

    I have been asked a question regarding a customer showing to their customer that they have aligned the ISO 27017 ISO 27018 controls to the ISO 27001/ISO 27002 Annex A controls. Could this be entered on the certificate or mentioned in the scope statement if it was included in the needs & expectations of interest parties?

  • Is there a difference between ISO 27002 and Annex A?

    Please confirm if there is a difference between ISO 27002 and Annex A? I’m busy preparing to write the IS competence unit I failed and want to make sure that I have the right material?

  • Question on ISO 27001 Documentation when ISO 9001 is already in place

    One of our clients in the USA is already ISO 9001 certified, and we are supposed to assist them in the implementation of ISO 27001. I want to get your opinion on the documentation approach that we should follow. Should we work on integrating ISO 9001 and ISO 27001 by combining some documents, or is creating a separate set of documentation a better approach? What is usually followed by other organizations when they are already ISO 9001 certified and moving forward with ISO 27001 implementation? I have downloaded your document that clarifies about the matrix between ISO 9001 and ISO 27001 but it does not give me enough clarity on what documentation approach should be followed while drafting in this scenario when the company is already ISO 9001 certified and all documentations are in place.


    Looking forward to hearing from you for the necessary clarification and suggest if there is any integrated toolkit approach for ISO 9001 and ISO 27001 is available.

  • RPO, RTO, BC strategies, testing and exercising

    Can you explain more on RPO, RTO, BC strategies, Testing, and exercising?

  • Certification Process

    HI, just following on from the webinar last week regarding the Certification Process - which was very good thank you – I’ve a couple of questions if that’s OK:

    1 - Training / Awareness

    Prior to the webinar we had been led to believe that our planned approach – namely:

    Publish the IS policy & notify everyone it is available – but not actually record who has read it
    Publish a number of awareness bulletins and encourage people to discuss them at team meetings
    Run a small number of online sessions whereby information on various aspects of ISO 27001 / Information Security are presented. The attendee list for these events would be retained
    would be sufficient. Would you agree with that or, as I think you implied would the auditor expect that we had a more formal approach to training with people being recorded against the training sessions they have completed?

    2 - Internal Auditor

    Is it mandatory that the internal audit is carried out by a certified auditor (whether that’s an internal member of staff that’s been trained or a 3rd party retained for the audits)? One thought was that following the first initial audit where we would use a qualified third party we would compile questions that would need to be completed for subsequent audits. Selected people would then take those questions round the business at the appropriate time – though they would not necessarily be accredited.

    Any information you can give would be greatly appreciated.


  • ISO 27001 documents

    hese controls are listed in ISO27002. How do you decide whether they are mandatory or not?  Because different companies will require different controls.  For example, software developers will definitely require A12.6 – Technical Vulnerability Assessment.

    The following are not in the toolkit.  Please furnish:
    A.18.1 Compliance with legal and contractual requirement


  • Scope

    I'm in the process of defining the scope definition according to ISO 27001 for a company whose core business process is based on the analysis of data. The IT infrastructure is entirely based on the cloud (PaaS) and the company has dedicated physical location. This is a small size organization (20+ people) and work remotely by connecting to the cloud. the cloud is not public and it is for our holding company. also holding provide human resource for our company.

    Organizational scope: Developer, Operation, supporting team
    information and technologies scope: only technical services that used in cloud and did not refer to OS, VM, physical sever ,...
    Physical Scope: Only scope of related to our company

    that's right?

  • ISMS implementation

    Hi, we are a software development company that is on its way to plan for isms implementation. I have a couple of specific questions about the definition of the scope of the ISMS.

    We would like the scope of the ISMS to be the whole organization. We are not going to leave any parts, units, services that are internal outside of the scope. I have noticed that there is some granularity to the specific items of the scope. In the course videos you provide it wasn't this way.

    1. Processes and services. Should I write about each service and each process specifically as part of the whole business model. Example : Managed Service Provider Service and all its processes Software Development Service and all its processes Software Support Service and all its processes Cloud Infrastructure Consulting Service and all its processes OR May I just put something more general that points to the idea that all the organizational business and processes are in the scope. A broader definition might be open to interpretation, but we really want the whole organization to be covered by the security benefits of having an ISMS in place. Example : Every service and process that is a part of the organization and its business is included in the scope.

    2. Organizational units May I just get away with putting down that the whole organization and all organizational units are included in the scope. Do I need to define organizational units if I am not going to leave any of them out of the scope ? Would an auditor be OK with that definition and would he/she understand that the whole organization is covered by the ISMS ? The problem is that the organization is fairly fluid and ever-moving and changing in regards to units and departments. This doesn't mean that people that are responsible for certain things are not appointed. Everything is logged, double checked and audited, but it would be a bit difficult to channelize every organizational aspect into a department or a unit.

    3. Network and IT infrastructure This one seems really tricky for me. A lot of our IT infrastructure is ever-changing so to speak of - networks, devices, services are constantly added, removed, migrated, changed. If I need to list every piece of IT infrastructure and network that would be an Inventory of Assets of its own. So the question is - when I've actually done the work to mark every piece of data in the Inventory of Assets do I need to relist everything under the "Networks and IT infrastructure" as well ? May I just put in something showing the general concept of ISMS coverage ( i.e everything ). Would a definition like "All networks and IT infrastructure that are located in the ( and here I would just specify the location )" is a part of the scope. Our IT infrastructure is only in one physical location and also the cloud. We are using the IaaS model and sometimes PaaS as a model. In this regard I would list those in the supplier policies and not in the scope.

  • Level of implementation in a country’s companies

    I would like to ask you what is the level of implementation of ISO 27001 and ISO 22301 in *** companies. To have a notion of the incursion of quality in my country.

Page 5 of 461 pages