Search results

Latest version of Statement of Applicability

Current controls to be included in the Statement of Applicability are those from the 2022 version of ISO 27001.

This 2017 version refers to the British version of ISO 27001:2013 (this version's official name is BS EN ISO/IEC 27001:2017).

The 2022 version of ISO 27001 has 93 controls in its Annex A, against 114 controls from the 2013 version.

For further information, see:

• ISO 27001 2013 vs. 2022 revision – What has changed? https://advisera.com/27001academy/blog/2022/10/25/iso-27001-iso-27002/

How to keep being trained and skilled and best way to find work?

The best approach for exercising your competencies and finding work would be to look for information security and audit groups on professional social networks like LinkedIn, and ISO 27001 security group on Google Groups.

Question about tools and scope

1 - what are the tools free for e.g. evaluation and you have also a repository for the documents.

You can test for free our Conformio solution, which can help you implement and maintain an Information Security Management System compliant with ISO 27001. This solution has a module for document management.

You can access Conformio through this link: https://advisera.com/conformio/

2 - Can you tell me which tools are free and where i can see the list of document templates and which are mandatory for the certification ??

Additional free tools are:

• Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/
• ISO 27001/ISO 22301 Implementation Duration Calculator https://advisera.com/27001academy/free-tools/free-calculator-duration-of-iso-27001-iso-22301-implementation/
• Free ISO 27001 Gap Analysis Tool https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/

You can access them through this link: https://advisera.com/resources/?type=tools|templates&standard=iso-27001

3 - What is in case of a Scope Extension when I want to incorporate also SW Products ???

Please note that products cannot be certified against ISO 27001. In this case you should look for the certification of the process related to the product (e.g., SW development and maintenance processes, software operation, etc.).

For further information, see:

• All you need to know about setting the ISO 27001 scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

Help for maintaining a risk register

1 - I've seen the instructions on how to setup the risk register which seems easy but do you have any instructions on how to work with the risk register the upcoming years and cycles after certification.
(our mutual customer has implemented and certified ISO27001 in your tool)

It looks like you need to go through the process all over again to reach the register.

Answer: First of all, thanks for the feedback.

Once you have performed the first risk assessment and treatment, you can access the Risk Register Module, and by clicking the “Edit Risk Register” button you can perform one or both of the following actions:

Update the current information of approved risks (i.e., update the risk value and/or risk owner).
Create a new risk (i.e., define risk, the risk value and risk owner), by clicking the “Add new risk button”.
Once you have updated approved risks and/or created new risks, by clicking the next button in the left-side part of your screen, you can proceed to the review of changes, and after that for the reviewed risks, the definition of risk treatment and approval of the risks and treatments.

As you can see, in case of only reviewing risks, the effort is smaller, because you will be only updating the risk value and/or risk owner in the assessment phase (all other steps need to be performed).

2 - all risks seem to get the risk values zero after a plan.

Answer: Regarding residual risks being zero, this is probably because you have decided to apply several different controls to treat each risk, and this approach really results in a great decrease in risk, because some controls work over consequence while others work on the probability of a risk occurring.

3 - I'm looking to see the progress of making the risk smaller, 

Answer: To work in the way you described, we suggest you, when adding new risks, or reviewing treatment of already approved risks, to implement only one control each time and see its effect on the risk, and after that add new controls and see their combined effect. 

4 - filter and work with all risks in prioritization order which the auditors demand.

Answer: Regarding risk prioritization and filtering, please note that an auditor should not demand a specific prioritization. Risk treatment prioritization is an organizational decision, based on its context and risk appetite. Regarding that, what the auditor can do is require you to explain which criteria you used to prioritize them and evaluate if these criteria make sense to your ISMS.

The auditor can at most suggest a prioritization (the organization can evaluate the suggestion and follow it or not according to its need).

5 - Can you guide me to any information, manual or video on how to work with the register after implementation? (Or are you supposed to extract it and work in excel or alike)

Answer: You can schedule an online meeting with one of our experts so he can guide you on performing a risk review by accessing this link: https://advisera.com/consultations/.

ISO 13485 as Importer

Thank you very much, Kristina. 

So the main purpose of risk analysis no matter its device and procedure, is for compliance to regulations and safety. 

Best regards, 

ISO 9001 - Quality Objectives and Processes

First, you identified 14 processes.

Please check ISO 9001:2015 clause 4.4.1 c) – your organization must have a least one indicator/objective per process to monitor its performance. But those indicators/objectives are not necessarily quality objectives, high level objectives aligned and deployed from the quality policy.

Process performance indicators are one thing, quality objectives are another thing. Some process indicators can also be quality objectives.

Second, regarding “Can I interpret that as our organization can choose which of the 14 processes, we want to establish quality objectives for?” Yes, you can choose, but should not be a free choose, should be a function of strategy and quality policy.

Please check the third slide after the agenda of this Free webinar on demand.

ISO 27001 version mention

This 2017 version refers to the British version of ISO 27001 (the BS EN ISO/IEC 27001:2017), which does not include any change that impacts the requirements defined by ISO 27001:2013.

This article will provide you with further information:

• European 2017 Revision of ISO/IEC 27001: What has changed? https://advisera.com/27001academy/blog/2017/10/25/european-2017-revision-of-isoiec-27001-what-has-changed/

Business Continuity Procedure

Please note that ISO 27001 control A.17.1.2 Implementing information security continuity does not require a "Business Continuity Procedure", only “…processes, procedures, and controls to ensure the required level of continuity for information security…”.

Considering that, a less complex document like the Disaster Recovery Plan is sufficient to be compliant with this control.

In the 2022 version the standard, the control A.17.1.2 is now A.5.30 ICT readiness for business continuity. For further information, see:

• List of mandatory documents according to the ISO 27001 2022 revision https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-revision

Regarding the "List of Required Docs for ISO 27001 / 2013”, it is not clear to which document you are referring to. Could you please send us the link to it, so we can check it?