ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Conformio ISO Documentation


    Have a few questions about documentation. So for the ISMS project, there is an IT security policy doc which includes e.q.:

    3.12. Clear desk and clear screen policy

    3.11. Password responsibilities

    3.9. Authorizations for information system use

    3.7. Backup procedure


    Should it all be in one document (IT Security Policy) or we can divide them and use them by each?


  • Sample data for MSP

    I’m currently trailing the use of your Conformio platform in our environment.

    We are a managed service provider, offering hosting of specific financial consolidation platforms as IaaS through cloud providers (more specifically, ***).

    I understand that ISO27001 documentation is very specific to a case organization, but I also believe a large part of the documentation to be … “standard”. If I were to remove the specific software platforms that we host and consult on, we are just another *** Provider. Do you have sample artefacts, such as risk registers or statements of applicability, that apply to organizations like that?

  • Copying documents

    Why auditors copy documents from one organization to another? Is it to make their jobs faster or to use it as a start point in for the new organization? Though it was stated in the training that copying documents is not a good practice.

  • Conformio - setting up people and departments

    I am starting on the list of requirements. As far as contracts are concerned, I understand that we specify the clause(s) of the contracts and what they require. So, that seems fine so far.
    What detail is required
    As far as legislation is concerned I’m not sure how specific we get. For example, in relation to the UK GDPR/Data Protection Act 2018 do we just specify “Article 5(1)(f) of the UK GDPR - Integrity and Confidentiality (the security principle)”.
    You have a helpful list of legislation that may possibly affect ISO 27001. Do you have a more detailed analysis showing which parts of those acts etc are specifically relevant to ISO 27001. For example, I believe that the Human Rights Act and the Freedom of Information Act only applies to public authorities. 
    There are quite a lot of acts etc that I have heard for but don’t know in detail e.g. the Electronic Communications Act 2000. Do I have to work through all of these to see if they apply to us? That looks like a long job!
    Valid from and deadline dates
    What are these dates aimed at?

  • ISO27001 Implementation

    Good day

    I trust this email finds you well.

    I have a question; I wonder if I may ask.  I understand preferably your services is in fact your income, so I don’t want to seem as though I am taking advantage.

    We are a software development house, planning on implementing ISO27001.  I am going through the webinars and also the Foundations Course. 

    May I ask, the controls start at 5 (5.1) – is this because this is where the 27001 family starts?  We just want to be sure not to miss Controls.  If there are 114 (in 40 sections) Controls, I take it not all of them fall under ISO27001 – that is why not all 114 are listed?

  • Scope in Conformio

    Thank you for offering assistance. We have started gathering interested parties and requirements. 

    We are struggling with the scope of this list. 

    For example, ISO9001 covers the “local community” as an interested party…. But I presume this is not applicable here because they have no interest in our ISMS and our ability to prevent a breach. If it is limited to people who have an interest in our ISMS and our ability to prevent a breach then it would be easier. 

    Our client may have concerns about our ability to keep the documentation and passwords that we possess on our systems safe from a breach.

    But services we provide to them to keep them/their systems and data safe from a breach are not in scope I believe…? But we need to clarify that. 

    Any guidance you can offer would be greatly appreciated.

  • Best approach in evaluating time and effort for certification

    What could be the best approach only to evaluate time and effort for certification in case you win business that require it (example site 200-500 employee, 50 employee for the business) rephrase question: what best first step for evaluate effort and time for to be certified (in case customer require certification for new business).

  • Risk Assessment Questions

    1. I have one hundred laptops, and thirty servers, do I list them all individually in the Risk Assessment Table?

    2. The aforementioned devices are in outsourced data centers, but they still must be listed as risks, correct?

    3. I am assuming that much of the risk will be transferred to the outsourcer?

  • Toolkit content

    Per my discussion with the marketing team before the Toolkit was purchased, I was informed that the Toolkit includes the analysis spread sheets that we can use to collect data and analyse the results.  Per the two links issued below, what see is the tutorials.  As explained, all we need is a tool to collect data and analyze it and not tutorial on how to collect data.

    Please let us know as to as to how you will assist us on this matter. I cannot find any data analysis sheet within the RAR zipped folders

  • Implementation process

    Estoy por iniciar la implementacion al sistema de iso 27001. Quisiera preguntar en terminos generales el procesos para la implementacion, y de igual forma saber si quisiera una consultoria como es el processo

    I am about to start the implementation to the iso 27001 system. I would like to ask in general terms the process for the implementation, and in the same way to know if I would like a consultancy such as the process

Page 6 of 470 pages