ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Is the book still compliant with the latest amendment of ISO 22301?

    Thanks for the mail, and the explanation. I appreciate your effort in compiling such a comprehensive book and later following up on its effectiveness through below email communication. I wonder whether your book still stands compliant with the latest amendment of ISO22301 which was made in 2019. Pls advise. If there have been any changes due to the latest update, I would really appreciate if you can share your insight on those changes so that we can pursue the changes accordingly.

    FYI, I’m heading the Internal Audit function in a group of companies in ***. Last month, we delivered 3 days training to the senior management in one of the company on BCMS and have agreed with them to act as a consultant for them in preparing, developing, training and implementing BCMS in their company. This would lead them in aligning and making them prepared for ISO audit at a later date. Accordingly, your advice on the aforesaid matter would be highly appreciated

  • Statement of Applicability

    We are going to have our external surveillance audit soon and we have one control in the SOA that is still "in progress". What are the implications of this?

  • Scope of ISMS

    Here is how I scoped my ISMS.
    The management of information security as it relates to Product Management, Engineering, Development, Software, Vendor Management, and Customer applications and data

    The feedback from our auditor (during a pre-assessment) is that "The boundaries of the information security management system in terms of facilities/locations and personnel might be clarified. The determination of the boundaries within the scope is used to identify the interface of the system with other organizations, and where activities of the system are under *** full control and what security controls are addressed through other methods (agreements, supply management …) with other organizations."

    Would he be looking for geographic limitations, such as in the U.S., or cloud assets, globally, etc.? I'm not entirely sure what is missing in my scope.

    Any guidance/suggestions would be appreciated.

  • Understanding the organization and its context

    1. Can you provide any guidance or clarity on defining Clause 4.1 of ISO 27001, determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system?

    2. Also, where is this typically documented?

  • Organizational Chart

    We purchased your ISO27001 toolkit and have a quick question.

    In the ISMS Scope Document (and any other applicable) is it acceptable to reference an Organizational Chart in the document for Employees in the Organizational Unit and not include the actual names, or do I need to keep the Scope (and any other applicable) document updated as employees come and go within the organization?

  • Implementation of the controls before audit

    We are in the middle of the development of the ISO 27001 system and are pressed for time with the certification audit coming up soon. Do all identified controls

  • Policy author

    I am implementing ISO 27001:2013 standard for a client in ***.

    My client has outsourced the ISO 27001:2013 policy development to an external consultant, and since the documentation is procured, all policy document has the external consultant name as the "Author".  The policies are reviewed and approved by the client's CISO and Management representative.

    Does this comply with
    7.5.2 Creating and updating
    When creating and updating documented information the organization shall ensure appropriate:
    a) identification and description (e.g. a title, date, author, or reference number);

    The external auditor has raised an objection for having an external consultant as the author of the policy.

    Appreciate your inputs on the same.

  • ISMS controls refer to Finance

    Would you be able to advise what controls refer to Finance as in a finance dept?

  • Risk assessment review

    Please, could you answer my questions? I have sent them to the chat but you didn't answer them during the webinar.

    When we implemented ISO 27001 2 years ago (small company, 10 people), our first risk assessment table has had many unacceptable risks so we created various treatments (controls, safeguards, documents polices...) to regulate these risks. Taking treatment controls into account, the new assessment showed just 1 risk that remains as residual risks, other risks have lower (acceptable) value.

    Now, we have modified our methodology and revised our risks in new table (new version of document). I have 2 questions:

    1. When we revise a risk management table on annual basis (new document), I'm not sure if we assess risks (consequence and likelihood) with all implemented controls/safeguards on our mind or without them? If we take already implemented controls into account when assessing risks, almost all risks are acceptable (few residual remains), there is no need for additional treatment at this moment.

    2. Hypothetical: if all risks are acceptable according to our methodology, is it ok not to have a Risk treatment plan?

  • Risk Assessment Methodology

    Thanks for the webinar, it went as expected but rather quick.

    The question I asked which you didn't understand is about ¨ISO 27001 risk assessment methodology¨. It talks about defining rules on how you are going to perform the risk management because you want the whole organization to do it the same way. It further states that the ¨biggest problem with risk assessment happens if different parts of the organization preform it in a different way¨.

    Now my question is, does an organization have 2 or more ways of risk assessment methodology when they are supposed to work under one ISMS in the organization? Or why would an organization choose/have more than one way of risk assessment methodology?

    I hope that my question is clear.

Page 7 of 389 pages