ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Risk Assessment ISO 9001 Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit ISO Product: ISO 27001 Internal Auditor Course
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Audit point

    The auditor has indicated that there are a number of 2021 policies where we cannot demonstrate per date stamping in Conformio that the policies are valid/current in 2022. we don't want to change anything in the policies (e.g., information security policy), but how can we demonstrate that an older policy is still valid in 2022 given it is date stamped 2021.

  • Risk Management Questions

    We received this question:

    Me pueden ayudar con la siguientes Preguntas

    1. Qué tanto nivel de detalle es necesario en el proceso de identificación y análisis de Riesgos de los activos de Información?, ya que por cada activo se podrían formular muchos riesgos.

    2. se puede agrupar activos para hacerles el análisis de riesgos? tenemos muchos servidores con características similares y con posiblemente el mismo nivel de exposición a  las mismas amenazas.  Qué consideraciones se deben tener en cuenta para agrupar activos para facilitar  el análisis de riesgos?

    3. Existe un catálogo de Amenazas predefinidos y/O recomendado que se pueda tomar como base para el análisis de los riesgos?

    4. Existe un catálogo de Vulnerabilidades predefinidas y/O recomendadas que se pueda tomar como base para el análisis de los riesgos?

    5. Existe un catálogo de Controles recomendados que se pueda tomar como base para plantear los controles ideales para el tratamiento de los riesgos identificados?

     

  • Best method of internal audit checklist

    I have question concerning creating the best method of internal audit checklist. Is it open or close ended question given that your sample in advisera.com used was close ended question while your modules addressed using open ended questions.

  • ISO 27001Toolkit

    We are tasked to establish a document on Web Application Vulnerability Assessment on public facing websites as part of web application management. With reference to the toolkit we purchased, may we know what is the most similar document that we can use as a reference. The current process we have as follows: 1.            Information Security Manager conducts the web application vulnerability assessment on all public facing websites. 2.            The business owner(s) who owns the websites may nominate the web masters who will maintain and manage the updates/upgrades and remediation of all application related issues. 3.            Vulnerability scan report will be given to the Bu(s) and web masters (developers) by Information Security Manager. 4.            Vulnerabilities will be addressed by web masters (developers) with reference to the Detailed Scan Report. 5.            Re-scanning of the website will be conducted to check and verify mitigation made.

  • Using CVSS as Risk Management Methodology for ISO 27001

    Is it possible to use CVSS as Risk Assessment Methodology and still be compliant with ISO 27001? How do we map LIKELIHOOD and IMPACT using CVSS? Thanks.

  • ISO 27001 - Microsoft Office

    Is there any incompatibility between using Microsoft Office and applying for ISO 27001 certification? Thank you very much in advance for your attention!

  • Becoming ISO 27001 lead auditor

    I’ve recently passed ISO 27K1 foundation exam. Now planning for ISO 27K1 lead auditor course and exam. I’ve query regarding it. After I pass the exam ISO 27K1 lead auditor from Advisera, then am I able to audit companies for ISO certification and provide certification? So, I was checking PCEB exam too, but Criteria seems different then Advisera. Please advice.

  • Conformio and Annex A controls

    I have a client who signed a contract with a big company some time ago and this client was part of a big *** advertising group and benefited from all the resources of the group, but now he has become independent and has to implement the requirements defined in the contract in order to comply with the contract he signed before. Therefore, he asked me to implement the requirements of the contract as a priority. Here are the security policies and article that I need to put in place first. I don't know if they can be handled separately or should I follow the step by step procedure. Let me know if you need more information. Policies to be put in place : Data backup policy Business Continuity Planning Policy External parties policy Data classification policy Security patch management policy Cryptographic standard Access Control Policy Remote Access Control Policy Physical and Environmental Security Policy Security and Privacy Incident Response Policy Articles: A.12.2.1, A.15.1.1, A.15.1.2, A.16.1.1, A.16.1.2, A.16.1.3, A.16.1.5, A.17.1.1, A.17.1.2, A.17.1.3, A.18.2.1, A.7.1.2, A.7.2.1, A.7.2.2, A.7.2.3

  • Mapping of requirements on controls

    Here’s another question about the mapping of requirements on controls. We have a customer requirements that relates to regular reporting on the effectiveness of the ISMS. I think it would be appropriate to map these on controls A.18.2.*. From the mapping document this does not seem to be the possible. There is no corresponding ‘Compliance’ are that can be selected. Actually, A.18.* controls are absent from the mapping altogether, as is the case for A.7 Human resources controls. Should a compliance area not be selectable in the requirements register and should A.18.* not be mapped as a result of mapping onto this area? Or any other area?

  • Performing Information security and POPIA compliance gap analysis

    Good day Dejan, I have been going through your materials and I am about to purchase the ISO 27001 Documentation Toolkit English (with live expert support) Because I have the below message from a potential client. Hi, I have a client who would like us to submit a proposal to perform Information security and POPIA compliance gap analysis. The overall purpose of this analysis is to identify the level of compliance and potential gaps that might exist from an Information Security perspective when measured against ISO 27000, and Data Privacy as measured against POPIA. Deliverables 1. Report of Cyber Security Gaps along with the recommendations and a roadmap to resolve these gaps 2. Report of POPIA Compliance Gaps along with the recommendations and a roadmap to resolve these gaps 3. Presentation to the client of the findings of the Audit exercise 4. A penetration test report Response Requirements The following should be included in the response: • Approach • Specific Deliverables • High-level timelines What do you advise as to how to proceed with responding to the approach and specific deliverables?
Page 43 of 544 pages