We have passed the stage 1 of ISO 27001, one of the minor finding we should have Secure system engineering principles, as we develop a software.
I checked in your documentation of ISO 27001, there is no Secure system Engineering policy and procedure. Could you provide some guidance what should be written?
I’m seeking information on a communication plan template in the Advisera’s ISO Toolkit 27001_22301.
I read this article and now I’m trying to locate the template.
Control A.8.1.1 is missing in reference documents of „Richtlinie_zur_Klassifizierung_von_Informationen_DE“. Inside the "Erklaerung_zur_Anwendbarkeit_DE" control A.8.1.1 includes the „Richtlinie_zur_Klassifizierung_von_Informationen_DE“ as implementation method.
Would you mind telling me what’s correct?
I have a question about the appendix of the policy for safe development - the specification of safety requirements. I try to add the appendix into the risk treatment plan. What is the measure for awareness and what is the method for evaluating results? Who will have access to the document?
We are now starting the implementation of Information Security ISO 27001. I am on the phase of preparing control implementation of the policies. I'm facing difficulties, with start working on it.
What is the version of ISO 27001 that your documentation is compliant with?
I just viewed the ISO/IEC 27701 Privacy information management standard (First edition 2019-08) and I have learned that there are more than some minor modifications. In the Advisera documentation kit ISO27001/GDPR, I do not see (yet) anything about this.
Do you have an idea how to best deal with this, I do not find anything on the Advisera website about it (unless I have overlooked something)? Will there be a publication and/or webinar/additional documentation available (can be payable) in the near future from Advisera part?"
How to prepare an action plan after external auditor has given minor NC?
I have the following question regarding a decision which impacts the ISO27001:
The owner/management (small company) has a company e-mail addresses. The owner does not like working with the company e-mail solution, so he wants to automatically forward the incoming e-mails from his company inbox to his private email account (with Gmail). Additionally, he wants to send E-mails from his private email account where the sender will be shown as his company email. The use of private email addresses is generally prohibited (currently implementing policy for employees etc.). Is it possible to create an exclusion in the policies for the owner/CEO and what other implications does this e-mail forwarding/relay have with regard to the ISO27001 certification? The whole company is in the ISMS scope, but not the mentioned private email account.
I am in the process of building my career into Vendor Risk Management so wanted to check on what could help me be a better auditor and how to achieve my Goal.
