Take the ISO 27001 course exam and get the
EU GDPR exam for free

ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • ISO 27001 doubt on applicability of controls

    My doubt is related on controls to be implemented regarding software development, i.e, controls 8.25, 8.26, 8.27, 8.28 and 8.29.

    I understand that if there is any type of internal software development the controls must be applied.

    However, if a company has installed any software/platform that is open source, it means that its allowed or can be made changes. Even, and for instance, for solutions that IT systems administrators use to manage IT infrastructure.

    In this case, any of the mentioned controls must be applied ? meaning that they cannot be excluded.

  • Completing RTP before certification audit

    Does all of the RTP need to be completed before certification audit?

  • Can a single legal entity have multiple ISO 27001 certifications?

    Hi Our parent company has ISO 27001. We have a new venture that is devolving from the parent and will become a separate legal entity. We want the new venture to be ISO 27001 certified, however it operates very differently from the parent company. My question is can a single legal entity have 2 ISO 27001 certifications i.e one for the parent excluding the new venture and a separate one for the new venture (which over time will become a separate legal entity)?

  • Team in charge of implementation and maintenance of the ISMS

    We have a question regarding the team that needs to implement and maintain the ISMS as defined in section 4.4 of "05_Information_Security_Policy_27001_EN".

    We also want this team members to be able to approve requests like for example in "09.01_IT_Security_Policy_27001_EN" for installing software, running java, to name just a few.

    We don't want only one person to approve this, whether it is the IT manager or the CTO.

    We are a 50-user *** company.

    It does not make sense to me that the executive team be the one in charge of the above since our case it is a small team of mostly non-technical users.

    We thought of creating a 3-person team (maybe call it "IT Team" or another name if you have a better idea) that includes the CTO, IT Manager and the Head of Engineering. This team already meet weekly to discuss these matters, so I thought of officially putting it in our ISMS documentation. 

    Do you think that is a good idea?

    Is it in-line with the standard?

    If so, is it best described in "05_Information_Security_Policy_27001_EN"?

  • Certification

    Dear Dejan,

    I am following you and Advisera for a couple of months and I really like the content you provide.
    I am now in the process of preparing my first customer for ISO 27k certification, but the legal side of things with the certification is not quite clear to me.

    Would please be so kind, and give me your professional opinion on this? Would also Conformio help me with the process in this case?

    Let me give you a brief overview of the situation and you will know what I mean right away:

    There is company A (consists of 15 people), based in EU, which develops software, provides support, makes proprietary hardware for the software they make etc.
    Then there is company B (consists of 2 people), based outside EU, which owns the copyrights to this software, tells company A what to do, what to develop, and also is written on every contract when they sell this software.
    Customer wants this software to be ISO 27k certified. Company B has no other legal connection with Company A, they are not like parent/daughter companies.

    My question is, which company is going to be certified? Do they need to be both certified, separately?

  • Mandatory documents

    Why are you treating 2013 edition when 2022 becomes effective September?

  • ISO 22301 IT

    I'm working in the IT department and I have my friend working in the cyber security department, and we are now in the preparation processes to obtain ISO 22301 CERTIFICATE before this objective my friend in cybersecurity prepare all documents as part of ISO 27001 Preparation but it covers only cybersecurity department, I need your advice is that okay or it should cover all IT activities due to he tells me the main reason to disruptive the services in IT is the cybersecurity?

    please advise who is right we have prepared a BCM plan, Risk management, BIA, BC community, and response structural DR but it focuses on cybersecurity.

  • Risk Register & BYOD

    Our company develops software for the school management. We have a private office in a co-working space. We have employees but we are also working with freelancers. They are working from home all around the world. I have some questions about the assets for the risk register. My first question is about infrastructure assets: do we have to include the private office of Singapore co-working space? What about air conditioning, power supply...? Also same question about the co-working space in London. By extension, we have a BYOD policy. Do we need to include personal laptops and smartphones in the assets? We are using a virtual server from a third-parties provider (2 in Europe, and 1 in Singapore). Should we include these virtual servers in the assets? We have a website. Is it an asset? I saw in the list of assets: proprietary data. Could you give me an example of what it could be for us?
  • The scope of ISO 27001 training

    Does the ISO 27001 training offered cover only small and medium businesses? I mean the scope of training because when I started the training of internal audit for the same standard the lecturer said it is suitable only for small/medium businesses… so the training is not suitable for corporations?

  • Changing SOA in praparation of audit

    we are currently preparing for our control audit. 

    However, due to personnel changes I am contemplating to change certain aspects of the SOA to reduce unnecessary overhead. 

    What effect will the removal of controls e.g. A.14 have for the audit and our certification scope?

    Can Changes to the SOA only be made prior to certification audits?

Page 8 of 537 pages