ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit AS9100 Product: EU GDPR Documentation Toolkit
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 certification

    My company was certified on ISO 27001 in 2019 and re-certified in Oct 2022. I am now implementing Conformio to help me in the on-going maintenance of the ISMS for future audits. I have just completed setting up the risk register and risk evaluation. Based on the controls that we have put in place over the years, all the risks are at acceptable level. Our company business have been around for 30 years and we have a stable operating environment. Conformio shows a Warning message that there should be at least 10% Unacceptable Risk items to complete the Risk Register Step and to pass the certification.

    a) Is it necessary for me to artificially amend the risk evaluation to achieve the 10% Unacceptable risks?

    b) Will the certification auditor not pass the certification audit if there is no risk treatment actions?

    c) What is your recommendation?

  • 27001 query

    Hi Dejan

    *** is progressing with its Electronic Money Institution (EMI) licence with the Central Bank of YYYY. 

    Below is a query received from the Institution: 

    13.1(h) A detailed risk assessment in relation to its payment services, including fraud: 
    a. Please provide verification of the progress of the gap analysis the firm is undertaking against ISO 27001.

    Would you be able to advise if we conduct a risk assessment specifically of payment services to ID the gaps this may suffice for the Institution? Or is there another process we could do? 

  • Asset Owner

    Within the file 06.1_Appendix_1_Risk_Assessment_Table_27001_EN.xlsx, example given for laptops' Asset owner is "User".

    Considering ISO 27002 recommendations, the laptop "User" seems not fitting the role of Asset Owner in accordance to ISO 27002:2022. May I know how to counter the auditor's response if he or she raise the concern?

  • Key Risk Management Plan template

    In our ISO 27001 package is there a document template for a Security Risk Management Plan? or is this covered in 05_Risk_Assessment_and_Risk_Treatment? I couldn't see the document for a plan only assessment and methodology.

  • Risk based calculation

    Why is risk only calculated based on Phycial Assets? What about best practices and processes and controls that are missing in an entity and causing risk?? Example HR practices, Asset practices. Does the CIA apply here?

    Can I not calculate Risk along the same columns of controls defined in SOA and create another Risk assessment sheet for other Assets like Hardware mostly under CIA.

  • Inquiry

    I have two statements I have come across in information security that are kind of confusing me.

    High level controls and Low level controls. I have noticed you rarely use them in your trainings or blogs but I need to understand what are they and how they apply to annex-a of ISO 27001. 

    With some examples, kindly advise how the hierarchy of Annex A controls, and if it's really necessary to have a hierarchy.

  • ISO 27001 EA Codes

    I was trying to find out if EA Codes are required or part of ISO 27001?

  • Disaster Recovery and Business Continuity Testing

    Hello,

    Within ISO is there any stated requirement of how often you should test your back-ups, sequel data bases, etc..  Annually, quarterly, yearly?  Also, for BC testing and exercises?  

     

    Thank you,

  • Clarification on ISO 27001:2022 certification

    Good day. In the context of the current implementation of ISO 27001:2022, and towards certification, I ask if guidance may please provided, regarding the following: We are a company of around 60 employees. We are working towards implementing the standard throughout the company; and risk assessment has been done accordingly. We have come across a doubt, however. While our line of business includes manufacturing and also services providing, we also plan to offer a cloud-based platform, accessible to customers via access credentials, where they can access information related to the equipment/services we provide.

    1 - From the implementing/certification point of view, shall the described be considered globally, all included in the implementation/certification, or rather, is it possible or advisable to separate them? I.e., consider the platform separately, with its own certification.

    2 - If they were to be separate, how would this even be managed in Conformio?

  • Revision of assignment

    I’ve worked hard to document processes and policies but I’m afraid that our organisation might not be ready in time for the revision. That might lead to us having to update our documentation according to the 2022 version and therefore be even more delayed. I do understand that we will have to update eventually but I had hoped that we would be certified by this summer.

    A question might be, if I have documented a process but we are not quite there yet practically, would it be an idea to identify this in a risk analysis with a timeframe? If it is not a critical risk that is.
Page 26 of 544 pages