ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit ISO 14001 ISO 22301
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Filling SoA

    I already used risk ID's inside the SoA template and wrote down „Risk #8, #10, #38“ for example. I did it like Dejan’s video tutorial said. But control A.12.6.1 includes (in my opinion) almost any risks out of the risk assessment table and I would like to write a general statement for „reason for selection / exclusion“ instead of writing each risk ID down. Is this possible? I did it for some other controls inside the SoA already too.

  • Scope definition

    Espero se encuentre muy bien, escribo ya que la empresa donde me encuentro laborando actualmente quiere certificarse en 27001, pero solo quiere certificar un "producto" el cual es la facturación electrónica, quería saber si esto es posible, ya que tengo confusión al momento de delimitar el alcance del SGSI y la política de seguridad de la información, ¿la política excluiría a los demás procesos y áreas de la compañía?, ¿y por tema de costos también sería menos beneficioso ya que incrementaría al momento de querer certificar los demás procesos de las compañía?

  • Filling SoA justification

    I have a question about control A.12.6.1 handling of technical vulnerabilities (inside the SoA table). In the column „reason for selection / exclusion“ I could basically enter almost any risk from the risk assessment table. Cause a lot of risks are based on technical things. I'm guessing that's not the way to go(?) For some other controls out of this table I have chosen general statements as the "reason for selection / exclusion“ without mentioning the concrete risks out of the risk assessment table. Would that make sense with control A 12.6.1, too?

  • Filling asset inventory

    You told me that listing the consequences inside the Asset Inventory comes out of the Risk Assessment Table and isn’t mandatory (but best practice). So far I totally got it and it makes more sense as the comment says before. But here is the thing: If I take the asset "top management" for example, I have for one asset different consequences inside the Risk Assessment Table, cause I have more than one vulnerability and threat. One asset with two different consequence-levels. The Asset Inventory consists of the asset „top management“ but needs just one consequence-level, right(?) Or shall I put both consequence-levels for one asset inside the Asset Inventory?

  • ISO 27001-2019

    First, please accept my apologies if there is a general email address to which to send inquiries, but looking through all the relevant correspondence I could not find any indication as to where to send questions so I am just replying here as you had specified in the email below. In any event, please feel free to redirect as you see fit and let us know if there is a specific email for inquiries moving forward.

  • Use of encryption

    In the past years, encryption has become a key control for protection of integrity and confidentiality of data. Many organizations use encryption technology such as disk encryption provided by the OS with managed keys. I am surprised to see this statement as not allowed per IT Security Policy:
    auf einem lokalen Rechner Kryptographie (Verschlüsselung) zu nutzen, außer in den Fällen, die in der Richtlinie zur Klassifizierung von Informationen
    (Use cryptography (encryption) on a local machine, except in the cases specified in the Information Classification Policy)
    This seems to be an old control to ensure availability. In my view, any organization should make it mandatory to use the corporate encryption solution – and central key management.

  • Transferred risks

    En el analisis de riesgos, si se decide transferir el riesgo de unos activos, a un tercero, con quien existe un contrato de mantenimiento. Por ejemplo, se decide transferir el riesgo de un conjunto de serviodores muy criticos, a la empresa de mantenimiento.

  • Risk and asset owner

    Hola, tengo una duda en el analisis de riesgos. Puedo tener 1 activo, con 1 propietario del riesgo, distinto al propietario del activo y despues ademas, transferir el riesgo de este activo, a un tercero? por ejemplo:

  • Defining ISMS scope and access profiles

    Antes de plantearle una duda que tengo les pongo en situación: Mi empresa realizó previamente un análisis de riesgos por el que tenemos dicho análisis y la declaración de aplicabilidad (aplica todo), para avanzar en el objetivo de conseguir la certificación ISO 27001 se incorporó en nuestra compañía una responsable de cumplimiento legal y se ha puesto al frente para conseguir esta certificación, analizó los datos comentados antes y nos solicitó a IT las políticas de seguridad (este es el motivo de la adquisición de las plantillas: la creación de nuestras políticas en base a estas plantillas)

  • ISO 27001 Objective measurement document

    I am looking for document for ISO 27001, Objective measurement. We have the toolkit and it is not there ,maybe we can get it extra?
Page 221 of 544 pages