ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Is ISO 22301 mandatory for audits?

    Is ISO22301 mandatory for audits like e.g., ISO13485?

  • ISO2 7001 / 2 website changes

    Hi - wanted to get your thoughts on the impending version of ISO27001/2 and if you will be covering the changes via your website soon?

  • Security of information that pertains to computers only

    My question is: Does the ISO 27001 standard (Information security management systems — Requirements) talks about security of information that pertains to computers only? Or is it talking about information security in general, I mean traditional paper information too?

  • Control mapping document

    Is there a control mapping document between ISO 27k and 22301

  • ISO 22301/20000/27001 integration

    How to integrate ISO 27001, 22301, and 20000?

  • ISO 27001 and NIST 800

    How does ISO 27001 complement or conflict with NIST 800?

  • Risk Management and ISMS

    1. What is the best way to do risk management?

    2. How do I raise awareness for information security?

    3. How to setup an ISMS which is used with excitement? How do I get colleagues all across the organisation to not only understand the necessity, but also the advantages of an ISMS for their daily work?

  • Contingent Worker Definition

    Is there a concrete definition for contingent workers per the ISO Standard?

  • ISO 27001 Scope change

    We are coming up for re-certification this year for ISO27001. We were all in an office in *** but since the pandemic we have all been given new contracts and are permanently WFH now. Since the scope only contained services and company owned hardware at the *** Office, this cannot stay as is. I was wondering if I was to change the scope to say "Company owned assets"? If I was to change this will it exclude home routers etc., or will I need a new policy for updating home security devices? We have many layers of security in place, including encryption, MFA, conditional access policies etc. Just looking to make the scope correct for the new world we find ourselves in.

  • Scope definition

    Hi Dejan,

    I’m from a multi-academy trust which is made up of XXXX schools. We have over XXXX students and XXXX staff, so for our scope, we’re looking at the IT department, rather than the whole organisation.

    However, the more I look at the this, the more confused I’m getting!

    Clauses 4.1 and 4.2, are they based on the organisation as a whole, rather than the department in scope? It seems like even clause 4.1 & 2 is a huge task, and identifies things that aren’t covered by the IT department. It seems odd to identify these issues as an organisation, only to not cover them as they aren’t covered by our scope.

    Also, in terms of interested parties, would our students count? If so, would it be over the age of consent in GDRP terms of, or all ages?

    Also, do you know if any schools or multi-academy trusts in the UK have achieved ISO27001? If not, are there any resources or information you could point me too that are focused on educational establishments that I could gain some guidance from?

    Finally, (apologies this may be oddly worded!) but as the IT department, does that just cover the processes/information used by them, or does it also mean the services/equipment the IT department provides for others to use? Such as require 2 factor authentication for staff in other departments to login to a service?

    We’re also going to purchase the documentation and support pack with you, but our ordering process can take a little while, so just wanted to get these couple of questions out in advance!

Page 7 of 448 pages