ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit AS9100 Product: EU GDPR Documentation Toolkit
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Non-Conformity in RR

    Dear Team - this is quite urgent - we have got a non-conformity because the auditor didn't accept the risk register as produced by Conformio - we are not sure how to mitigate this, any guidance would be hugely appreciated. Here is the non-conformity. (27001) Finding: The organisation did not fully meet the requirements for clause 6.1.2 c)1) - apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system. Evidence: missing from Risk register within Conformio platform.

    Additional information: The auditor requests that we add a column showing the impact on each of the CIA - Confidentiality, Integrity, and Availability components, (e.g. Letters to show letters representing the affected components of CIA).

  • Support re. internal audit section of ISO 27001 2022

    The policy templates we received as part of our toolkit refer to ISO27001. Should this be changed to ISO27002?

  • ISO 27001:2022 implementation issue

    I want to ask about establishing risk acceptance criteria in clause 6 - 6.1.2 and if there is any sample can i view in order to complete creating my system, which is related to a cloud-based software solutions company

  • Privacy Policy Template

    So I have a request – would you have a privacy policy template from iso27002 I believe a6.1.2 I can purchase?

    We recently upgraded with you the ISO27001 workbook templates and I’m going through a client audit and they are asking for a specific privacy policy and so far what I have provided from either the older 2013 ISO27001 and the GDPR is not passing with them

  • Register of Requirements

    Underneath the register of requirements where I am asked if I am compliant with the Computer Misuse Act am I expected to have a policy or do I read and agree to the terms?

  • 09.04 BYOD Policy and 09.01 IT Security Policy

    Is there a reason to keep the 09.04 BYOD policy separate to the 09.01 IT Security Policy?

    Or can we just include it there (in 09.01) like for example we do with 09.02 Clear Desk policy?

  • ISO 27001 doubt on applicability of controls

    My doubt is related on controls to be implemented regarding software development, i.e, controls 8.25, 8.26, 8.27, 8.28 and 8.29.

    I understand that if there is any type of internal software development the controls must be applied.

    However, if a company has installed any software/platform that is open source, it means that its allowed or can be made changes. Even, and for instance, for solutions that IT systems administrators use to manage IT infrastructure.

    In this case, any of the mentioned controls must be applied ? meaning that they cannot be excluded.

  • Completing RTP before certification audit

    Does all of the RTP need to be completed before certification audit?

  • Can a single legal entity have multiple ISO 27001 certifications?

    Hi Our parent company has ISO 27001. We have a new venture that is devolving from the parent and will become a separate legal entity. We want the new venture to be ISO 27001 certified, however it operates very differently from the parent company. My question is can a single legal entity have 2 ISO 27001 certifications i.e one for the parent excluding the new venture and a separate one for the new venture (which over time will become a separate legal entity)?

  • Team in charge of implementation and maintenance of the ISMS

    We have a question regarding the team that needs to implement and maintain the ISMS as defined in section 4.4 of "05_Information_Security_Policy_27001_EN".

    We also want this team members to be able to approve requests like for example in "09.01_IT_Security_Policy_27001_EN" for installing software, running java, to name just a few.

    We don't want only one person to approve this, whether it is the IT manager or the CTO.

    We are a 50-user *** company.

    It does not make sense to me that the executive team be the one in charge of the above since our case it is a small team of mostly non-technical users.

    We thought of creating a 3-person team (maybe call it "IT Team" or another name if you have a better idea) that includes the CTO, IT Manager and the Head of Engineering. This team already meet weekly to discuss these matters, so I thought of officially putting it in our ISMS documentation. 

    Do you think that is a good idea?

    Is it in-line with the standard?

    If so, is it best described in "05_Information_Security_Policy_27001_EN"?
Page 14 of 544 pages