ISO 27001 & 22301 - Expert Advice Community

Control 6.6 – Confidentiality or Non-Disclosure Agreements - NDA compliance

Hi, I have a question on how to audit the following:

The company (Xcompany) where I work has acquire another company (Ycompany), so now (Ycompany) is part of (Xcompany), in this way, their employees needs to sign new NDAs with (Xcompany) right? or if they already has NDAs signed whit (Ycompany) it is no necessary?

Thank you for your help

Backup Policy and the Cloud Storage

Concerning the backup policy provided in the Toolkit, the company's data is stored at **** Cloud which we obviously do not manage.

The backup is done automatically and in case of deletion of files/folders, we just have to restore the deleted files/folders thanks to the web interface.

Do I have to indicate this in the backup policy?

ISO 27001 Stage 1 & 2 Audits

I have been advised that UKAS rules state, following a Stage 1 audit, the Stage 2 audit must be carried out within 3 months of the Stage 1. Please could you confirm if there is indeed a time limit between the audits, and if so, advise what this time limit is.

Organizational chart - ISMS

I am the Quality Manager at *** and I am in charge of implementing ISO 27001 in the company. For this purpose, we have purchased the ISO 27001 Toolkit from Advisera, exactly ISO 27001 Documentation Toolkit English (with extended support). 

In our case, we have a question that we would like to clarify with you, as we are sure you have seen more cases like this in many other companies.

*** is a small company (around 20-30 people) that is in a growth and expansion phase (in the next few years). As we are a manufacturer of custom-made medical devices, we have a Quality Management System according to ISO 13485 (applicable to medical device manufacturers) in place in the company.

Now, in defining and implementing ISO 27001 using the materials provided by Advisera, we see that there are many overlapping aspects between ISMS and QMS.

In all the material that Advisera provides in the ISO 27001 toolkik you mention the figure of the CISO or Information Security Manager. In *** all these tasks are being managed by the QARA Manager, which is me in this case.

Does ISO 27001 require the presence of a CISO or an Information Security Manager in the organizational chart?
What are the roles that must appear in the organizational chart by ISO 27001 requirement and that we should include in the current *** organizational chart?

Could all these roles be covered by Spentys’ current QARA Manager?

What do you recommend in this regard?

A proof for fulfillment of requirement A.9.5.1 from ISO 27017

Our certification body has asked us to show the proof of implementation of A.9.5.1 from ISO 27017: "Risk assessment performed and mitigating controls to address risks imposed by customer-developed/supplied software in the cloud environment. (s1)"

Could you please give us some examples on what kind of proof we would need to present to the certification body?

Control A.11.2.4

When looking at control 11.2.4, does this apply to all equipment? Or, just equipment crucial to business continuity? We do not have any equipment owned by the company other than laptops, so we are just looking to see what we need to do in terms of servicing our equipment.

IT Security Policy too narrow

We are using the wizard to create the IT Security Policy, and we found that the context in the IT Security policy is too short and seems that it cannot meet the requirements of ISO 27001. For example, the context in the IT Security policy didn't make any references to SOA controls. How would you advise how we can complete the IT Security policy according to the ISO 27001 standard?

Scope definition

In your opinion if several registered entities with different natures of business (e.g., data operator, business optimisation consultancy, publication house, and a financial service provider) are part of a registered holding company, how do you determine the ISMS scope, would it pass an ISO audit if the holding company drafted an Acceptable Use Policy or Wi-Fi AUP with expectation of a "one size fits all" entities?

Or would each entity have to have a separate policy that aligns to the holding company's security objectives as far as it applicable to them on an individual basis?

Compliance Manager

I work for a small company (33 employees) that is ISO 27001 and 27701 certified. We use SharePoint for document storage. Version control is documented manually on every procedure, policy, template, checklist, and training material in our company. In other words every time we update a process or materially change the content, we increment the version number, list the change, the date, and who approved it in the document. Each team has a Controlled Documents List to manage the documents for their team. This process is quite labor intensive, as we track changes and keep historical versions of each document, etc. It really is impeding the progress of keeping our documents up to date. With all this in mind, we are thinking of simplifying the process for documents that are not directly related to ISMS and PIMS. For example, is all this really necessary for the Sales Team process to create a proposal or for the Customer Care Team process to provide support for a customer using our software?

27001 audits

How would I audit a large company who holds their ISMS processes at their head office but have 120 sub sites who mainly only supply construction work for the company. Head office is in *** and about 60 sub sites in ***. My point is, as far as the ISMS is concerned it is operated from the Head office who hold all the clients’ data.