ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001 Internal Auditor Course Product: EU GDPR Documentation Toolkit
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Revision of assignment

    I’ve worked hard to document processes and policies but I’m afraid that our organisation might not be ready in time for the revision. That might lead to us having to update our documentation according to the 2022 version and therefore be even more delayed. I do understand that we will have to update eventually but I had hoped that we would be certified by this summer.

    A question might be, if I have documented a process but we are not quite there yet practically, would it be an idea to identify this in a risk analysis with a timeframe? If it is not a critical risk that is.

  • Setting up and passing the audit

    As we have two entities, one in Site A operating under the supervision of the regulator and 2nd in Site B providing services for the Site A entity, a few things to clarify:

    1 -Is the setup, documents, actions etc. enough for both entities, or I will have to prepare two different setups?

    2 -Also do we have to pass an audit to certify both entities or only the regulated body is enough?

  • Outsourced development

    I am struggling with the definition of outsourced development at the moment and seek advice.

    My CTO’s view is that we do not have any outsourced development which , if true, would mean that we should be able to exclude A.14.2.7. But I am not really sure what I think. We have a small team of developers in another country (Poland) hired by a consultancy firm. We have a dedicated Team leader (hired by us) leading that team (operationally) and the developers in the team are otherwise handled as any other developer in our organisation. Most of them being consultants, the only thing that differ is that the team in Poland is hired by a third party. They follow the same processes, use the same information (located in the management system) and are monitored in the same way as all other developers in our organisation. They are a part of our internal communication with department meetings, company meetings, using our organisations MS Teams etc). They have the same access (depending on their role and their need) and are added in our people register as any other consultant. This is the reason to why we are saying at the moment that we don’t have Outsourced development. But is this enough? Or are we, just because we are using a third-party firm to supply these developers by fact having an outsourced development?

    Really appreciate if you take time to read my question and any help to become a bit wiser in this =)

  • How would ISO 27001 help secure system from ransomware attack?

    How would ISO-27001 help secure a system from a ransomware attack for example WannaCry?

  • Information security policy review

    How do information security incidents impact information security policy (approved by Top Management)?

  • Residual Risk Question

    The risk assessment and treatment plan output document includes only the risk rating before the measures to mitigate risks. The auditor would like to see the measures taken to mitigate risk and the residual risk level in the output document. This information is available in the software but not in the pdf created by Conformio.
    Could you please add this information to the pdf document?

  • What are the laws and regulations to be included in the ISO 27001 Register of Requirements?

    I thought the ISO 27001 Register of Requirements should contain only laws and regulations on information and data security such as Personal Data Protection. I have seen examples of Companies Act, Employment Act, Taxation Act, etc. included in the Register. Why are these included as they do not relate directly to information security?

  • Questions about ISO certification

    We have bought the “ISO 27001 documentation toolkit” and now we have some questions:


    1. In the document “List_of_documents_ISO_27001_2013_Documentation_Toolkit_EN” there are check marks with asterisk: (e.g.  #4): are they required at the ISO certification or can we decide if they concern us or not? 

    2. The document “06_Statement_of_Applicability_27001_EN” has a list of the applicability of controls. How shall we decide which controls are important for us? 

    3. The head quarter and main company of ***, Inc. is in ***. We also have a subsidiary in ***, ***, and belonging 100% to ***. How do we have to proceed with the ISO certification? Is the *** certification enough for both companies? Do we need an extra chapter in the ISO certification for the *** subsidiary?

    4. We need to set the confidentiality levels on all documents. Is the standard “for employee use only” for all documents good enough for certifier?
Page 27 of 544 pages