Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Enterprise Account for Security Awareness Programs
thanks a lot for your eMails (I´m also registered under ***), but I´m writing you from my companys eMail now. You maybe don`t remember me, but we are being in contact in Year 2016, as I was implementing ISO 27001 for a customer in ***. At that time, I`ve bought (acquired) the “ISO 27001 Toolkit” from you and it`s was really very helpful. If you remember, I also bought later your EU-DSGVO Toolkit (2017). Since 20198 I´m become Freelancer for Compliant & Information Security and I´m very happy for that, because I`m being very successful the whole time. Now, I`m starting a project for a different German customer to implement Business Continuity Management, according to ISO 22301. What I need to know it is, if your ISO 22301 Toolkit much more different is to the content comparing to the ISMS one. This is the content of my ISO 27001 Toolkit:
I need your answer as an expert, but not as a commercial vendor, then I need to know if I´ll received value added if I buy your ISO 22301 Toolkit for my actually project.
Please let me know, from expert to expert, if this make sense for me or not. If you told me it`s make really sense and will helpful for me to implement the BCM project, then I`ll make an order to you. Perhaps, you`ll remember me as a client and you`ll make me a special offer for this BCM-Toolkit.
I really appreciate an expert answer from you.
-
ISMS implementation
At the moment, my questions regarding ISO implementation are: · In document 2.1 it asks for requirements. It is not clear to me how to identify those requirements. Can we link them to controls from the Annex? · For the ISMS Scope: we want to certify only our location in Belgium and we were advised by certification bodies to not mention our second location in Poland at all. However, our processes happen regardless of the location and part of them happens in Poland. Can we (and how) exclude Poland from the ISMS while keeping the processes? · Given that it's the first time we implement ISO in aug.e, what are the steps we should follow regarding filling in the documents? It seems to us that we will have to go back and forth in a way that will be quite confusing. I couldn't find any relevant information in the Advisera courses. -
Additions to Conformio
Please can you advise with regards to the following; In Conformio Risk Register I am able to add Risks – which are specific to a client If the Control is from an alternative Source for example ISO 31000, can this control be added to Control ID defined in SoA? If this is not possible how would I be able to manage All Risks in the organisation through Conformio if ISO 27001 is the only source of Controls? -
Information security policies
Can you help me with the following questions: 1- ISMS Security Objectives can be the same Control Objectives of ISO 27001:2013 or are they two different types of objectives? 2 - What is the difference between an information security policy and a recommended control or can they be the same? 3 - For the establishment of the ISMS Security Policies, can the textual requirements of ISO 27001:2013 be taken? 4 - For the establishment of the ISMS Security Policies, can the same statements of the Control Objectives of ISO 27001:2013 be taken? 5 - For the establishment of the ISMS Security Policies, can the same 114 statements of the ISO 27001:2013 Controls be taken? -
ISO 27001 templates
Hi, we have recently purchased your ISO templates and I am one of those responsible for working on them. In the document A.12.1_Security_Procedures_for_IT_Department_Cloud there is a section down the bottom with all the attachments which I am lost in because I could not find any templates on those attachments. These are: [Security features and level of expected service for network services] – electronic and paper form [Security features and level of expected service for cloud services] – electronic and paper form And I simply do not know where to start from the scratch [Erasure/destruction records] – in paper form [Decisions about the communication channels used for specific types of information, restrictions, forbidden activities] – electronic form Is there any template that could help please? -
Scope Document
I am currently working through the Scope document for the ISO27001 audit, and had a quick question regarding the scope document, but really all of them. There are many sections of the documents that describe the purpose of the document, and I was wondering if there is anything I NEED to delete off of the documents for the audit itself? Or am I okay to just fill in the information for my company, and leave the rest? -
Validation of the ISO certification
once a person is certified, how long is this certificate valid as an auditor? Is there a reference? for example if someone is certified auditor since 2015, is it still valid?
-
ISO 27001 Contact with Authorities
When looking at ISO27001, what are examples of relevant authorities under Annex A.6. As a US company, we may model our work around GDPR, but we don't necessarily have a legal requirement to follow it. With that said, are there any other authorities we would want to maintain contact with? -
Asset management
My question is about your asset inventory, I have doubts, I have a list, among the list there is equipment such as laptops and desktops, software, servers, licenses, records, the entire list is entered as assets, for example: I have approx 22 laptops, are they all entered individually as assets or do I only take it all as one? If you had an example of one made I would appreciate it to guide me. -
Non-conformities
Hi Dejan, I wanted to ask you about documented information for the ISO 27001 Clauses 4.2 and 4.4. For the Clause 4.2, our external auditor requires us to have a document containing all needs and expectation of interested parties. My understanding is that there’s no standard requirement to have this information gathered in one document. We have evidence of those requirements recorded in various other documents. Would you consider this a major nonconformity? Please see attached the document version we currently have in place, Compliance_Requirements.pdf. For the Clause 4.4., our external auditor requires us to have a documented ISMS Manual that includes references and implementation details for all Clauses 4 to 10. My understanding is that there’s no standard requirement for an ISMS Manual document. Would you consider this a major nonconformity? Please see attached the document version we currently have in place, ISMS_Manual.pdf. Thank you for your help.