ISO 27001 & 22301 - Expert Advice Community

Conformio roles

My name is the only available user for the steps in Conformio. What other users/roles would you recommend that I add? (Or does that actually come later in the process? The guide says I should not skip any steps, but at the same time I feel I need some new roles and users in the system)

Help with certification

Hi, we wanted to discuss how to best place our shared server IT Department to support the business units who currently hold or want to obtain ISO 27001:2022 certification.

Register of Requirements and scope

We like to have the development and QA departments of *** certified. But we like to include the hosting of our cloud service (which is done by our holding company) in all the documents already now. We have been advised to do so because we like to keep the scope small for the initial certification but extend it later. I'm now working at the Register of Requirements. How can I make transparent which requirements are for Dev/QA of *** and which are for the holding (in other words, what is in the certification scope and what's for later)?

Controls in the SoA that so not show up in the Risk Assessment

We have controls in the SoA that we want to implement, that are not specifically part of the risk assessment table i.e., not used to mitigate a specified threat. However, it still makes sense to implement these controls. Is that ok? Can we have controls in the SoA that are not specifically part of the risk management?

Handling termination and change of employment

What sections or where would the handling termination and change of employment with ISO 27001 be located? Not sure how where to find that.

Risk assessment Guidance

1 - is there a tool to help with risk assessment coverage from ISO 27k to 9k/20k?

Need to update Risk assessment and wanted to know if there is set Guidance and or tool to assist

2 - is there set policy or regulations for doing a risk assessment to include these additional ISO's?

Validity and document management

I have one minor clarification.

In all procedure templates have a validity and document management section as below:

Validity and document management

This document is valid as of [date].

---------------------------------------------------------------------------------

If we are creating this document today, which date do we need to mention here as valid as of [date].

Is it like we need to keep a date after 1 year or so when we plan to review the document again?

For example, today is 12 AUG 2023, do we need to mention as “This document is valid as of 12 AUG 2024”.

Please clarify.

If we keep a date after one year, then we should ensure we review/revise document before that and change this date to date after one year again. Correct?

ISO 27001 Toolkit for consultants questions

I am reviewing the document toolkit for a project that I am about to start with a client and have the following initial questions to ask.

Printed documents
The documents are stored in electronic format in most organisations, but nowhere on the document does the statement ‘uncontrolled when printed’ or similar appear in the header of footer 

We have always inserted this statement into all documents within our work as otherwise a printed document could be picked up and used without checking that it is the latest version.

We also note that a lot of certification bodies would pick up a non-conformance in these instances. Can I ask why this statement is not included on all electronic documents please?

Improvement / non-conformance log
I cannot find a register for non-conformance or what I would call an improvement log / register. The toolkit has a corrective action procedure and a corrective action form template only.

We would always include an improvement log where all non-conformalities and improvement suggestions (complaints, Issues, Improvement ideas and changes to documented information, processes or context) are recorded according to their source. In other words a spreadsheet register that matches the con-conformance form fields but allows one to view all non-conformities / issues in one place without having to sift through a pile of forms to find out which ones are overdue or still open.

Document control
I don’t understand the document control procedure as it does not state how a change request is raised for consideration (document change request for instance)

Again we would not call this a non-conformity but it would be raised in the improvement log prior to any change of document being authorised. What is this ‘Track changes’ referring to please?

The procedure states
All changes to the document must be made using "Track changes," making visible only the revisions to the previous version, and must be briefly described in the "Change History" table; if Track changes option is unavailable, or if the changes are too numerous, then the Track changes option is not used.
Each document should preferably have a "Change History" table used to record every change made

 The toolkit does not contain a document register?

This is going to make it difficult to show the version of all latest documents – most cert bodies in my experience are looking for a master document register. 

Hope that makes sense and apologies if I am missing something

Gap Analysis for ISO 27001:2022

Hi There

looking for a Gap Analysis worksheet / spreadsheet for ISO 27001:2022. Any ideas?

Many thanks