ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit AS9100 Product: EU GDPR Documentation Toolkit
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Gap analysis results

    We have recently undergone a Gap Analysis with NQA ready for our ISO certification, and some significant failings were discovered during the process.

    The key bits were the difficulty in identifying / linking documentation to clauses, missing clauses without explanation and missing information on areas provided.

    Firstly, as part of our gap analysis, the processes followed within Conformio did not provide any documentation to Clause 4 of the standard, nor did we get any system assistance in completing these clauses. There was no interested parties section beyond the contractual and legal requirements, thus we were unable to evidence clause 4.2.

    Secondly, the Risk Assessments failed to provide a CIA category for any risks. We are told this is mandatory and as such, the Risk Register provided does not meet the requirements of ISO.

  • Audit questions

    Can you please help me to get it clarified on below , I had asked this in one of the QnA session your webinar

    One of my client is outsourced the IT and Software Development, I have to do the internal audit for this client, in scope document they have mentioned as entire organization. In that case do I have to audit the IT department
    One of the client is operating on Co-working space, Physical, access, IT and Networking security is Managed by the provider, In this scenario do the client needs to have access, network, physical security polices and procedures

  • ISMS scope

    Regarding the ISMS Scope Document, For the location, we are a remote company with a virtual address, we have an address for our data center, and if we should include it. Also, what should we exclude? we give laptops to our employees

  • Question about audit

    I am responsible to do audits in Tisax implementation, in this case, using an audit checklist since my point of view I need to have ISO 27001 is it right?

  • ISO 27001 and DORA EU

    I am a compliance specialist in payment services and in light of upcoming DORA EU legislation i thought i might get an ISO certification. Am i correct that i need 27001? what type of certification i need?

  • Documenting scope of ISMS

    X company outsourcing the main business product (source code, software application and maintenance) and IT services(office network, and maintenance) from Third party.  Now,  The X compay is trying to document its ISMS scope accroding to clause 4.3

    The scope document must include Process and Services, Organizational Unit, Locations, and Networks and IT infrastucture. However, X company doesn't have IT department, and all IT and network related works go to Third party. X company doesn't own a single switch or server. 

    My question is Do we need to include Third party's network diagram, IT infrastucture, servers, and network devices in the scope if these are touches our main product?

  • Questions about ISO 27001

    1- How to do a gap analysis of the status of my management system against compliance with the ISMS requirements ISO 27001:2013

    2- List of documents required to comply with ISMS ISO 27001.

    3. How to develop an ISMS ISO 27001 communications program to interested parties, what should this program contain?

    4. How to develop an ISMS ISO 27001 awareness program for stakeholders, what should this program contain?

    5. How to develop a Management review procedure program

  • Scope question

    I have a basic Scope question that I am trying to understand and thinking that you might be able to help me. 

    1 - What do we really mean when we say that something is Included in the ISMS scope? Does that mean that everything in the ISMS then need to be applicable to the organization, site and processes in the scope? Or if not, this needs to be described in the ISMS somewhere? (for example if we have a sales process and this sales process doesn’t applies to an office that we say is in scope then we need to document this in the ISMS? 

    2 - Could we exclude offices/departments from the ISMS because we don’t share the same Core processes if we at the same time share support processes (HR process and some IT processes for example) and steering processes?

  • Question about certification requirements

    We are working on the implementation of the BIO (Baseline information security for Dutch governments) and are thinking of ISO27001 certification. I purchased the internal audit toolkit (Dutch) to get a better understanding of the work still to be done.

    1 - Could you explain how the certification process is done and what the average costs are?

    2 - Can Advisera do this certification?

    3 - Can the certification being done online / remote or need to be done onsite? 

    4 - What would be the best option to prepare ourselves and get certified? What budget should I take into account? Hope to hear or read from you soon. Thanks.

  • Training and awareness plan

    I need help from your expert to know how to deal with the following chart and what is relaly expected in term of competencies and knowledge, as well as the related training.
    https://i.imgur.com/YAbZCbE.png

    Can you please provide me with some support?
     
Page 34 of 544 pages