Get 4 FREE months of Conformio to implement ISO 27001

ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Register of Requirements and scope

    We like to have the development and QA departments of *** certified. But we like to include the hosting of our cloud service (which is done by our holding company) in all the documents already now. We have been advised to do so because we like to keep the scope small for the initial certification but extend it later. I'm now working at the Register of Requirements. How can I make transparent which requirements are for Dev/QA of *** and which are for the holding (in other words, what is in the certification scope and what's for later)?

  • Controls in the SoA that so not show up in the Risk Assessment

    We have controls in the SoA that we want to implement, that are not specifically part of the risk assessment table i.e., not used to mitigate a specified threat. However, it still makes sense to implement these controls. Is that ok? Can we have controls in the SoA that are not specifically part of the risk management?

  • Handling termination and change of employment

    What sections or where would the handling termination and change of employment with ISO 27001 be located? Not sure how where to find that.

  • Risk assessment Guidance

    1 - is there a tool to help with risk assessment coverage from ISO 27k to 9k/20k?

    Need to update Risk assessment and wanted to know if there is set Guidance and or tool to assist

    2 - is there set policy or regulations for doing a risk assessment to include these additional ISO's?

  • Validity and document management

    I have one minor clarification.

    In all procedure templates have a validity and document management section as below:

    Validity and document management

    This document is valid as of [date].


    If we are creating this document today, which date do we need to mention here as valid as of [date].

    Is it like we need to keep a date after 1 year or so when we plan to review the document again?

    For example, today is 12 AUG 2023, do we need to mention as “This document is valid as of 12 AUG 2024”.

    Please clarify.

    If we keep a date after one year, then we should ensure we review/revise document before that and change this date to date after one year again. Correct?

  • ISO 27001 Toolkit for consultants questions

    I am reviewing the document toolkit for a project that I am about to start with a client and have the following initial questions to ask.

    Printed documents
    The documents are stored in electronic format in most organisations, but nowhere on the document does the statement ‘uncontrolled when printed’ or similar appear in the header of footer 

    We have always inserted this statement into all documents within our work as otherwise a printed document could be picked up and used without checking that it is the latest version.

    We also note that a lot of certification bodies would pick up a non-conformance in these instances. Can I ask why this statement is not included on all electronic documents please?

    Improvement / non-conformance log
    I cannot find a register for non-conformance or what I would call an improvement log / register. The toolkit has a corrective action procedure and a corrective action form template only.

    We would always include an improvement log where all non-conformalities and improvement suggestions (complaints, Issues, Improvement ideas and changes to documented information, processes or context) are recorded according to their source. In other words a spreadsheet register that matches the con-conformance form fields but allows one to view all non-conformities / issues in one place without having to sift through a pile of forms to find out which ones are overdue or still open.

    Document control
    I don’t understand the document control procedure as it does not state how a change request is raised for consideration (document change request for instance)

    Again we would not call this a non-conformity but it would be raised in the improvement log prior to any change of document being authorised. What is this ‘Track changes’ referring to please?

    The procedure states
    All changes to the document must be made using "Track changes," making visible only the revisions to the previous version, and must be briefly described in the "Change History" table; if Track changes option is unavailable, or if the changes are too numerous, then the Track changes option is not used.
    Each document should preferably have a "Change History" table used to record every change made

     The toolkit does not contain a document register?

    This is going to make it difficult to show the version of all latest documents – most cert bodies in my experience are looking for a master document register. 

    Hope that makes sense and apologies if I am missing something

  • Gap Analysis for ISO 27001:2022

    Hi There

    looking for a Gap Analysis worksheet / spreadsheet for ISO 27001:2022. Any ideas?

    Many thanks

  • Checklist for ISO 27001

    1. I have the ISO 27001 Internal Audit Toolkit English and am starting the internal audit. The checklist provided for ISO 27001 only has listed up to A.8.34. The Statement of Applicability has up to A.18.2.3. Could I have the checklist up to A.18.2.3, please?

    2. Also should the policies and procedure documents be specifically named individuals rather than Job title?

  • What asset to list when Risks relate to general or high-level assets?

    In the risk register/table, some risks relate to high-level or more general assets that I do not have in my asset register.

    For example:

    • User error >> most assets

    • Information interception >> most assets

    • Malicious action by employees >> almost everything

    • Unauthorized access to the information system >> all system and docs

    • Leakage/disclosure of information >> all docs and data

    • Unauthorized change of records >> all systems with records

    What should I write as an asset for these risks in the relevant tables (risks, risk treatment etc).

Page 7 of 542 pages