say you completed an audit, submitted the audit report to top management for review. Now that management has read the report, they disagree with some of the findings. What is the best or common practice to address such feedback in relation to the report that has already been finalized?
12.7 Internal systems audit considerations Hope you’re doing well, can this clause be covered by our internal audit?
I am conducting research regarding smart devices and how they can be hacked and what is the EU cybersecurity acts responsibility for this. I need to compare the EU framework to ISO27001 to see which one is better and more useful
Please advise if the Advisera template for A.16_Incident_Management_Procedure in ISO27001 toolkit is aligned with ISO27035:2016 which is a requirement for us as per regulatory/legal/license requirement.
Hello,
With reference to the risk assessment methodology (risk assessment for ISO 22301 purposes). Who is the owner of the risk if the company to be analyzed uses IT solutions provided by a related company in the capital group?
Example:
Company X (it is subject to risk analysis in connection with ISO22301) uses an accounting program. Company Y (an IT company from a capital group) provides the program. Will the asset owner, for example, be the IT Director of company Y, and the Accounting Director of company X the owner of the risk? Who should assess the risk for company X in this case? I think he's an employee of Company X, but I'd like to make sure.
Best regards,
With the help of the ISO22301 documentation set from Advisera, I am currently preparing an internal audit procedure for the business continuity management system. The checklist includes the following questions:
6.1 Has the organization identified the risks and opportunities relating to the effectiveness of the management system?
6.1 Does the organization plan to deal with the identified risks and opportunities?
6.2 Are the business continuity objectives measurable; are they monitored and updated?
6.2 Are there steps to achieve goals, responsible persons, deadlines, necessary resources?
In which documents from the ISO22301 package does the organization address these questions and meet the requirements of clause 6.1 and 6.2 of the standard?
I'm currently working on the 10.3 Appendix 3 Internal Audit Checklist which contains both ISO 27001 checklist but also ISO 22301. I haven't been working with ISO 22301 at any time throughout this project. Is it best practice to audit for 22301 even though this isn't a standard we've paid any attention to? Or should I just delete from the checklist? Afterall it's just a template.
I guess I should just remove the ISO 22301 part from the document, but I just wanted to make sure that an auditor does not expect this part as well.
In the toolkit purchased, there is no policy template for control A.10.1.2 (Key management). I would appreciate it if a document were provided. Thank you.
One question – the vendor security clauses indicate a bunch of items that need to be included in the vendor agreement. Do you have a template/example of an agreement that I can red-line with all of the relevant clauses included?
We started from ISO 22301 based on the documentation we received from you. I have a couple of doubts about filling out BIA forms.
That you do not have a randomly filled out form because some fields are not clear to me, and I do not have any instructions for filling in the form itself.
