ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Implementation of ISO controls

    After reviewing what we’ve done so far for the ISO27001 implementation, there has been a bit uncertainty about the implementation of ISO controls.

    Before starting with ISO27001 we already did a lot of things as secure as possible.

    This has been resulting in not a lot of risks in our risk assessment and not many controls stated applicable in the Statement of Applicability.

    I read on various articles that the SoA should probably have 80 – 90% of the controls stated applicable, whereas we only have a handful at most.

    My question is whether we’re doing this right or might be misinterpreting something. Or perhaps our approach has been inadequate.

    So far we’ve identified a few risks, decided which controls we should implement, and implemented those with help from the toolkit and videos. Hopefully you could give us a new perspective and help us find hidden risks.

  • ISMS responsible and CISM

    Is there a difference between ISMS responsible and CISM?

  • Can we be GDPR and ISO 27001 compliant with 1 employee?

    Can we be gdpr and iso27001 compliant with 1 employee? 2 employees? And working with freelancers/consultants


  • Including SOC 2 controls in SoA

    I hope you're doing well. I watched the ISO 27001 Lead Auditor Exam training videos and found them to be very useful! Thank you for offering this free training. I am leading the ISO 27001 internal audit efforts at my company for the first time this year and wanted to seek your guidance. Our company's ISMS is ISO 27001 certified and we also have a SOC 2 Type 1 certification.

    1. Are we required to include the SOC2 controls in the ISO 27001 Statement of Applicability?

    2. If we were to add all of the SOC2 controls this year, would all these controls be tested during this year's external surveillance audit? I'm planning out the scope of the internal audit and which controls to test, but we have limited resources and time. It seems duplicative to me to include the SOC2 controls since those are tested independently as part of the SOC2 audit. I understand an internal audit is not required for the SOC2 certification, but I see the benefit of performing an internal review to identify issues that could be mitigated before the SOC2 cert audit.

  • ISO 27001 confidentiality

    Which section of iso 27001 mentioned o confidentiality?

  • Documenting Statement of Applicability

    1. How to start documenting Statement of Applicability.

    2. What approach to follow?

    3. Who all should one interact with?


  • Critical areas to prioritize focus during implementation

    What are the more critical areas to prioritize focus during implementation?

  • Recommended system/application to control documents, incidents and other stuff from ISO standards

    What system/application you recommend to control documents, incidents and other stuff from ISO standards?

  • The best KPIs for monitoring metrics

    What KPIs will be the best to choose for monitoring metrics?

  • Business relevant data

    The question is: what is considered ‘business-relevant data’ as mentioned in the document ‘A.8.2 IT Security Policy’ and is there a list that we can use to help us identify instances of this?

Page 9 of 448 pages