ISO 27001 & 22301 - Expert Advice Community

Handling termination and change of employment

What sections or where would the handling termination and change of employment with ISO 27001 be located? Not sure how where to find that.

Risk assessment Guidance

1 - is there a tool to help with risk assessment coverage from ISO 27k to 9k/20k?

Need to update Risk assessment and wanted to know if there is set Guidance and or tool to assist

2 - is there set policy or regulations for doing a risk assessment to include these additional ISO's?

Validity and document management

I have one minor clarification.

In all procedure templates have a validity and document management section as below:

Validity and document management

This document is valid as of [date].

---------------------------------------------------------------------------------

If we are creating this document today, which date do we need to mention here as valid as of [date].

Is it like we need to keep a date after 1 year or so when we plan to review the document again?

For example, today is 12 AUG 2023, do we need to mention as “This document is valid as of 12 AUG 2024”.

Please clarify.

If we keep a date after one year, then we should ensure we review/revise document before that and change this date to date after one year again. Correct?

ISO 27001 Toolkit for consultants questions

I am reviewing the document toolkit for a project that I am about to start with a client and have the following initial questions to ask.

Printed documents
The documents are stored in electronic format in most organisations, but nowhere on the document does the statement ‘uncontrolled when printed’ or similar appear in the header of footer 

We have always inserted this statement into all documents within our work as otherwise a printed document could be picked up and used without checking that it is the latest version.

We also note that a lot of certification bodies would pick up a non-conformance in these instances. Can I ask why this statement is not included on all electronic documents please?

Improvement / non-conformance log
I cannot find a register for non-conformance or what I would call an improvement log / register. The toolkit has a corrective action procedure and a corrective action form template only.

We would always include an improvement log where all non-conformalities and improvement suggestions (complaints, Issues, Improvement ideas and changes to documented information, processes or context) are recorded according to their source. In other words a spreadsheet register that matches the con-conformance form fields but allows one to view all non-conformities / issues in one place without having to sift through a pile of forms to find out which ones are overdue or still open.

Document control
I don’t understand the document control procedure as it does not state how a change request is raised for consideration (document change request for instance)

Again we would not call this a non-conformity but it would be raised in the improvement log prior to any change of document being authorised. What is this ‘Track changes’ referring to please?

The procedure states
All changes to the document must be made using "Track changes," making visible only the revisions to the previous version, and must be briefly described in the "Change History" table; if Track changes option is unavailable, or if the changes are too numerous, then the Track changes option is not used.
Each document should preferably have a "Change History" table used to record every change made

 The toolkit does not contain a document register?

This is going to make it difficult to show the version of all latest documents – most cert bodies in my experience are looking for a master document register. 

Hope that makes sense and apologies if I am missing something

Gap Analysis for ISO 27001:2022

Hi There

looking for a Gap Analysis worksheet / spreadsheet for ISO 27001:2022. Any ideas?

Many thanks

Checklist for ISO 27001

1. I have the ISO 27001 Internal Audit Toolkit English and am starting the internal audit. The checklist provided for ISO 27001 only has listed up to A.8.34. The Statement of Applicability has up to A.18.2.3. Could I have the checklist up to A.18.2.3, please?

2. Also should the policies and procedure documents be specifically named individuals rather than Job title?

What asset to list when Risks relate to general or high-level assets?

In the risk register/table, some risks relate to high-level or more general assets that I do not have in my asset register.

For example:

• User error >> most assets

• Information interception >> most assets

• Malicious action by employees >> almost everything

• Unauthorized access to the information system >> all system and docs

• Leakage/disclosure of information >> all docs and data

• Unauthorized change of records >> all systems with records

What should I write as an asset for these risks in the relevant tables (risks, risk treatment etc).

ISO 27001 2013 vs. 2022 revision

A company is going for its first year ISO 27001 surveillance audit based on ISO 27001:2013. I have been appointed to perform its internal audit. Kindly advise if we should cater for the 2022 revision during my audit. If yes, in which section and how.