ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Establishing context

    how to concretely establish the context?

  • Configuration Management Policy & Procedure

    For our ISMS we need to have a "Configuration Management Policy & Procedure" to address the requirements of external parties (ex: regulators).


    I do not see any template for the same in the toolkit provided. Kindly assist on the Configuration Management Policy to help address below requirements.

    - A configuration management policy and procedure including a baseline of the software configuration of individual assets - baseline config is part of asset register & standardized

    - Documentation supporting a detection solution in place within the User Systems - only system admin have access to install

    - The implementation of solutions to detect and prevent the installation or execution of unauthorized software - only system admin have access to install

    - Documented procedures for reporting and remediating the installation or execution of unauthorized software - only system admin have access to install

  • Question regarding NDA

    Would like to know whether the certified under ISO 27001 party should obtain from the employees of the outsourcer NDAs or the NDA between the outsourcer and the party is sufficient.

  • ISO 27000 and ISO 20000 - which to go first for?

    Which certification to go for first between ISO 27000 and ISO 20000 as an IT Risk and Compliance professional?

  • Technology to enforce and attest ISO 27001 controls

    What technology can be used to enforce and attest ISO 27001 controls (e.g., password policy) in a cloud SaaS environment?

  • Records or Documents

    Hi. I'm trying to decide whether Risk Assessments and Risk Treatment Plans would be considered documents or records. In other words, should they be version controlled? Or should they have specific record retention periods?

  • Toolkit content

    Mientras tanto, te doy un poco de contexto de lo que buscamos a fin de que puedas por favor adelantarnos unas dudas por esta vía. En la organización hicimos un diagnostico de Ciberseguridad basado en NIST CSF, el cual entre otras cosas develó la necesidad de estructurar el Gobierno de Seguridad por medio de la elaboración y formalización de diferentes documentos (Políticas, Procedimientos, Normativas, etc), los cuales en gran medida hacen match con los documentos que ustedes ofrecen a través del "Paquete Premium ISO 27001+22301".

    No obstante, observamos que hay un grupo de documentos que necesitamos desarrollar y que no se encuentran entre sus packs, lo que quisieramos saber es si quizás estén nombrados de otra forma, o incluso están contenidos como parte de otros documentos: 

    ·  Política y/o proceso de gestión de amenazas
    ·  Política y/o estrategia de monitoreo  
    ·  Política y/o proceso de gestión de vulnerabilidades
    ·  Política de gestión de datos (reposo, en tránsito y en terceros)
    ·  Política de obsolescencia y gestión de parches  
    ·  Política de gestión de la capacidad
    ·  Política de adopción de nuevas tecnologías  
    ·  Políticas y/o normas de gestión de líneas base de seguridad (Servers, SOs, Bases de datos, equipos telco, etc)
    ·  Política de logs de auditoría
    ·  Plan de comunicación corporativa para incidentes cibernéticos
    ·  Risk Impact Analysis (RIA)
    ·  Plan de Crisis


    In the meantime, I give you a bit of context of what we are looking for so that you can please anticipate some doubts in this way. In the organization we made a Cybersecurity diagnosis based on NIST CSF, which among other things revealed the need to structure the Security Government through the preparation and formalization of different documents (Policies, Procedures, Regulations, etc.), which into a large extent they match the documents that you offer through the "Premium Package ISO 27001 + 22301".

    However, we observe that there is a group of documents that we need to develop and that are not among their packs, what we would like to know is if they may be named in another way, or are even contained as part of other documents:

    • Threat management policy and / or process
    • Policy and / or monitoring strategy
    • Policy and / or vulnerability management process
    • Data management policy (rest, in transit and in third parties)
    • Obsolescence policy and patch management
    • Capacity management policy
    • Policy for the adoption of new technologies
    • Policies and / or management standards for security baselines (Servers, OSs, Databases, telco equipment, etc.)
    • Audit log policy
    • Corporate communication plan for cyber incidents
    • Risk Impact Analysis (RIA)
    • Crisis Plan

  • Implementing and verifying items

    Cómo se implementa y cómo se verifica el cumplimieNto de cada ITEM?

  • 27001 ISMS Scope Question


    Are you able to help clarify our ISMS scope please? We have just started this process and I want to make sure I understand properly.

    Question 1 Scope - Processes and Services

    We are an IT company that has 2 cloud-based applications which we own, build and license to our customers. We are responsible for the data in these two systems and they are the reason we are undertaking the 27001 certification. So these two applications are obviously included in the Processes and Services part of our scope.

    We also use multiple other cloud based services that contain our customer data including ***, ***, ***, ***, etc.

    Am I right in saying that these third party systems can be excluded from our scope because it is the responsibility of the third parties (like ***) to secure the data we store in these systems?

    Therefore, is it valid to say that the full extent of our Processes and Services scope should be our 2 applications?


    Question 2 - IT Networks and Infrastructure

    Our applications live in an ***. I've read your article on defining the scope with cloud servers. I think we're number 4 in that list. That is: The organization uses a third-party platform (public PaaS). 

    2.1 - So in scope would be our two applications and the data within them but all Networks and Infrastructure are out of scope?

    2.2. - Have I overlooked something here? Is it valid to limit the scope to the applications we own/build/license to our customers?

    2. 3 - Thanks for your help. Please also confirm which email address we should address our questions to.

  • Starting with SOA

    One item that came up on a gap analysis which has me confused:

    *** has space in colocation data centers in the *** and ***.

    We have 1 product (very low demand) running in *** and 1 product (also low demand) running in ***. We will be shifting more of our VM capacity to *** in the latter part of 2021, and the 2 products running in *** and ***nwill be in ***.

    A) we do not host customer data (customers are required to use test data)

    B) from a processing perspective, overwhelmingly, it’s on-prem (in colocation data centers) instead of Public Cloud

    I am trying to figure out how to get started with the SoA so that I don't do this 2x.

    Any advice would be appreciated.

Page 8 of 448 pages