ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • ISMS system

    Thanks, Dejan. This is useful. Usually, most companies would have their best people in front of the customers. Sadly when it comes to implementation they are not around and the entire activity is left to inexperienced folks who usually go by the book.

    1. What isms documents do the auditors look at?  Or to say which document is critical to iso certificationWe have put in place an isms system. We are yet to perform a gap assessment to evaluate how far we have progressed in the journey. To me, this is the time ( prior to gap assessment and then certification) to assess how much of what we have written is applicable i.e of relevance in context to changing business requirements, to organization appetite for investment, and then amend the isms to appear more practical.

    Does the above mentioned is relevant?

    2. What isms documents do the auditors look at?  Or to say which document is critical to iso certification

  • ISO 27001 certification

    How can I get certified within 3 months?

  • Scope of BCMS

    How to define the scope of BCMS and start implementing. Do I have to include all the functions in the Organisation to go for ISO 22301 certification?

  • PDCA definition

    How can I define the activity in each PDCA and the time for each one? What is the activity example to start the project? If you can give me an answer for both ISMS implementation and Risk treatment plan, that would be great.

  • ISO 27001 implementation

    1.Do I need to list individual software licenses in the risk assessment or can they be put into broader categories? I’m thinking ahead to an eventual audit and what an auditor might want to see to show that we are taking everything into account.

    Software tools that may contain PII and/or confidential information
    Software tools that do not contain PII and/or confidential information

    And do they need to be separated by whether they are run on premises only or in the cloud?

    Or, do I need to put:
    Microsoft Office,
    etc and list all threats/vulnerabilities of each?  We have a list of all software tools that contain PII for GDPR already in the Appendix – Inventory of Processing Activities.

    2. Is there an easy way to know which controls would apply for each vulnerability? I.e. a mapping to the vulnerabilities that are pre-populated in the Risk Assessment? I think that each vulnerability listed probably has a specific control so having a mapping would save a lot of time vs trying to match them one by one.

    3. When creating the risk assessment using the Asset-Threat Vulnerability method and assigning a Likelihood do we take into account the current state of that risk given our already implemented (pre-ISO27001) controls? i.e. if we have multi-factor authentication the risk of access to our email system is lower, therefore would we put a lower number for likelihood? I assume this is the case, but am not clear.

    4. Do you suggest using the OCTAVE Allegro worksheets (or something similar) for polling the risk owners while creating the Risk Assessment, or is there a questionnaire available that can be sent to them with specific questions that I am missing?


    A number of your documents have a section called 'MANAGING RECORDS KEPT ON THE BASIS OF THIS DOCUMENT'.  Is this absolutely necessary or can we delete this section?

  • Incident Management - Capturing the incident

    If we have a help desk system that we use to capture users  issues to the Help Desk, if this considered as Incident Mangaement.

    Can this supercede the need for an actual Incident Mangement Form?

    Standard say this is mandatory, but wouldn't this duplicate what is being done in the help desk ticketing system?

    Or does ISO27001 have a different definition to incident to incident in a help desk management system.

    Please assist, thanks.

  • 2-factor authentication for Virtual Private Network

    Is it a specified requirement in ISO27001 to have 2FA for a Virtual Private Network connection?

  • Signatures in documents

    I wanted to know if we need to get management signatures for each and every processes of ISO 27k and 20k OR we can get a one page signature on index page mentioning all processes with final version number as signed.
    Note:- Incase if management is not willing to sign multiple pages.

  • ISMS scope document

    1. What is to be included in the scoping document beyond simply stating the locations that are 'In-scope for the ISMS?

    2. and when does this document need to be created - before the Project Plan Is signed off?

Page 6 of 389 pages