ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Question about ISO 27001 and ISO 27002

    As far as I understand ISO doesn't dictate us to compliance with 27002
    Does these 45 documents in the toolkit covers all 26 requirement management system and 114 control points?
    I'm asking 27002 because I don't know if ISO will ask me if I have some installation, management or monitoring procedures for systems. We don't have such time to prepare it. If this is not the case, we are ok I believe.

  • Questions regarding ISO 27001 documentation

    Dear all,

    I’m writing to you on behalf of the company ***  and its CEO *** , who bought the toolkit

    We would like to ask you for some help regarding the possibility of using the following sentence in the compilation of the ISO27001 documents:

    1 - Regarding the users (destinatari in italian), in your documents the term used is employees of the company. Since other subjects could be involved in the politics and procedures, we were wondering if we could use the following sentence for all the documents:

    Destinatari di questo documento sono tutte le persone che rientrano nel perimetro di applicabilità del SGSI di ***.

    Translated in english: The users of this document are the subjects who are included within the perimeter/scope of the company ISMS applicability.

    2 - The second question:

    Within the Documentation in A.9.1 Politics for the Access Control there is a document called La Dichiarazione di Accettazione dei documenti del SGSI. The translation in english should be something like Declaration of the ISMS documentation Acceptance. What is this document actually about? Is there a form of this document that we could use?

    Thank you in advance for your help.

  • local country leadership in trying to align ISO 27001 certs


    My issue is that I have businesses in a number of European companies that are ISO 27001 certified, and I want to see if I can achieve alignment and consistency. If the scopes are different and they are all certified by different bodies and the end dates are different - what would be the best approach to this. If indeed it is feasible? How would I even assess any alignment - Gap analysis?

  • Supplier information security requirements

    For the implementation of ISO 27001:13 in part A15. Supplier relationships now I really need the supplier information security requirements. Could you send me this file? thanks in advance.

  • How Annex A controls relate to ISO 27001 Requirements

    Can you please explain to me how the 'ISO27001 Annex A Controls' relate or map to the 'ISO27001 Requirements'?

  • Document Control

    ISO 27001 does not require anything specific for document control really - just that the company defines a document control process which addresses those 4 requirements....

    distribution, access, retrieval, and use; storage and preservation; control of changes; retention and disposition

    Am I right?

  • Conformio risk register, confused by some of the threat mappings for Human Resources

    The Conformio risk register defines the following

    • Threat is what kind of negative thing can happen to your asset because the vulnerability exists.

    The mapping path is Asset to Vulnerabilty to Threat

    Asset: Employees with specific expertiese ( system admin, security experts ) 

    Vulnerability: Replacement person does not exist or is inadequate

    Threat:  Earthquake / Fire / Flood / Storm ?

    Of the 12 items listed, only 2 seem reasonable - breach of contracts and information disclosure

    Seems like this mapping needs some work, or am I misunderstanding something ?

  • Linking the external/internal issues and interested parties to the risk and opportunities

    For ISO27001 certification, is there also a need to explicitly identify or link the external/internal issues and interested parties to the risk and opportunities?

    Since for risk assessment and treatment approach, they often started from assets perspective.

  • Register of Legal, Contractual, and Other Requirements - how detailed?

    I am stuck as to where to start on the Register of Requirements for this section.

    One client may have 30+ contractual requirements.

    1 - Do I list each requirement separately or put all 30 of the items in the "Description of the requirement" field?

    2 - Do I limit the items to just those that are security related ?

    3 - Most of our customers are banks , and we fill out a SIG that has 100's of security related questions, it seems impractical to list all of these in the register for each customer.


  • Recommendations on Security Awareness and Training

    Could you ask one of your ISO 27001 experts for their recommendations on Security Awareness and Training.

    1 - How do I get this going in my company?

    2 - What will the auditor be looking for in this requirement?


Page 8 of 470 pages