ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 ISO 9001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 14001 Product: ISO 27001 Internal Auditor Course
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 Toolkit for consultants questions

    I am reviewing the document toolkit for a project that I am about to start with a client and have the following initial questions to ask.

    Printed documents
    The documents are stored in electronic format in most organisations, but nowhere on the document does the statement ‘uncontrolled when printed’ or similar appear in the header of footer 

    We have always inserted this statement into all documents within our work as otherwise a printed document could be picked up and used without checking that it is the latest version.

    We also note that a lot of certification bodies would pick up a non-conformance in these instances. Can I ask why this statement is not included on all electronic documents please?

    Improvement / non-conformance log
    I cannot find a register for non-conformance or what I would call an improvement log / register. The toolkit has a corrective action procedure and a corrective action form template only.

    We would always include an improvement log where all non-conformalities and improvement suggestions (complaints, Issues, Improvement ideas and changes to documented information, processes or context) are recorded according to their source. In other words a spreadsheet register that matches the con-conformance form fields but allows one to view all non-conformities / issues in one place without having to sift through a pile of forms to find out which ones are overdue or still open.

    Document control
    I don’t understand the document control procedure as it does not state how a change request is raised for consideration (document change request for instance)

    Again we would not call this a non-conformity but it would be raised in the improvement log prior to any change of document being authorised. What is this ‘Track changes’ referring to please?

    The procedure states
    All changes to the document must be made using "Track changes," making visible only the revisions to the previous version, and must be briefly described in the "Change History" table; if Track changes option is unavailable, or if the changes are too numerous, then the Track changes option is not used.
    Each document should preferably have a "Change History" table used to record every change made

     The toolkit does not contain a document register?

    This is going to make it difficult to show the version of all latest documents – most cert bodies in my experience are looking for a master document register. 

    Hope that makes sense and apologies if I am missing something

  • Gap Analysis for ISO 27001:2022

    Hi There

    looking for a Gap Analysis worksheet / spreadsheet for ISO 27001:2022. Any ideas?

    Many thanks

  • Checklist for ISO 27001

    1. I have the ISO 27001 Internal Audit Toolkit English and am starting the internal audit. The checklist provided for ISO 27001 only has listed up to A.8.34. The Statement of Applicability has up to A.18.2.3. Could I have the checklist up to A.18.2.3, please?

    2. Also should the policies and procedure documents be specifically named individuals rather than Job title?

  • What asset to list when Risks relate to general or high-level assets?

    In the risk register/table, some risks relate to high-level or more general assets that I do not have in my asset register.

    For example:

    • User error >> most assets

    • Information interception >> most assets

    • Malicious action by employees >> almost everything

    • Unauthorized access to the information system >> all system and docs

    • Leakage/disclosure of information >> all docs and data

    • Unauthorized change of records >> all systems with records

    What should I write as an asset for these risks in the relevant tables (risks, risk treatment etc).

  • ISO 27001 2013 vs. 2022 revision

    A company is going for its first year ISO 27001 surveillance audit based on ISO 27001:2013. I have been appointed to perform its internal audit. Kindly advise if we should cater for the 2022 revision during my audit. If yes, in which section and how.

  • Impact column in Asset Inventory

    "In "09.07_Inventory_of_Assets_27001_EN.xlsx" there is a column (F) with Impact and there is a note saying "Copy from the Risk Assessment Table.". But, in the Risk Assessment Table, the Impact (which you call "Consequence") is for each Risk and not for the asset. Can you please clarify and explain if I am missing something?"

  • Documentation package content

    I'm not quite convinced of the new documentation package for 2022.
    In the package for ISO 27001 from 2017, the documents have been named consecutively based on the subdivisions.
    For example, under area A10, the document Guidelines for the use of encryption was created based on the controls A10.1.1, A10.1.2 and A18.1.5

    https://i.imgur.com/cUjQiuZ.png

    According to the new classification of the controls appendix A 2022, the controls 2017 for cryptography go to department 8 Technological Controls appendix A 2022

    In the control A8.24 over. However, your documents are not subdivided and subdivided according to the new ISO in the appendix, but are included

    Only the departments Security Measures, Training and Awareness, Internal Audit etc.

    Where can I find the documents on the other measure terms such as 5. Organizational Controls, 6. People Controls, 7. Physical Controls and 8. Technological Controls?

  • Question about SMCA

    Hello, I have a concern about the determination of activities, products and services. I would like to take a practical case of an organization whose sole activity is to operate and maintain the IT system of a bank. the Bank retains 3 critical processes that must never be interrupted: customer management, credit management, collection

    We want to do the SMCA (Système de Management de la Continuité d'Activité) for the Bank's computer system. What to remember in the products and services of the SSSI (Société de Services en Systèmes d'Informations)?
    i) Product: Computer System, Services: Management and maintenance of the Computer System, customer management, credit management, collection
    ii) Product: IT system, Services: customer management, credit management, collection
    iii) Product: Computer System, Services: Management and maintenance of the Computer System

  • Scope (locations and addresses)

    With regards to the scope, there is a section around location. Our client’s registered location is the CEO’s house address which we wouldn’t want to include as the location. All the users work remotely in different places. How do we deal with such a scenario? Is there a way to exclude location?
Page 9 of 544 pages