ISO 27001 Conformio questions

1. In case we have to abide by requirements in several states because we are doing business with both, how should we handle these requirements in the context of ISO 27001 implementation?

First, these requirements must be included in the Register of Requirements module. After you include these requirements in this module, related controls will be identified as applicable in the Statement of Applicability module, and the responsible person for the requirement can define and upload the related implementation plan.

2. In case we have defined a security objective and we fail it (i.e., our target was to decrease the number of incidents, and we see that they have risen) will this hamper my possibility of obtaining the certification.

In case you evaluate that you have not achieved a security objective, this situation will affect your certification process only if any decision regarding how to handle this situation is not made, or if actions related to a such decision are not implemented or do not have the expected results.

For further information, see:

• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

3. How do we select a certification body?

Elements you should consider when selecting a certification body are at least these ones:

• Reputation.
• Accreditation.
• Specialization in your industry.
• Experience.
• Integrated audit.
• Flexibility.
• Required maturity for certification.
• Language.

For further information, see:

• How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/