ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4148
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 ISO 9001 Risk Assessment Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Certification ISO 14001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Security Awareness Course Password Question

    One of your questions/answers (https://prnt.sc/Bbc-Z4zZfxEz) is incorrect according to typical security best practices. If the security of a website has been compromised, you should absolutely not long in immediately if they have not told you to. While you might consider changing passwords on any other site where you've used the same one, logging in and updating it on a site that may still have an incident in progress only increases your risk."

  • Change management and Change classification

    How do we define what changes need to be regulated by the Change Management and what changes do not?

    Can you maybe share a list with examples or criteria you see used?

  • Audit Questions

    We recently had a client undergo a pre-assessment audit for their certification. During the audit, a couple of issues were raised:

    The internal audit wasn't conducted properly due to insufficient time allocated for the process and the management system.
    The auditors were seeking procedural documents that directly correlate with the Annex A policies provided in your templates.
    Given these challenges, I wanted to reach out and seek your guidance. Specifically:

    Do you have best practices or guidance on how to ensure our internal audits are thorough and in compliance with the standards?
    Are there any templates or resources available that can help us align our procedural documents with the Annex A policies you've provided? This would be incredibly helpful in ensuring our documentation meets the auditor's requirements.

    Furthermore, I'm curious if you have any templates or resources specifically for ISMS procedureal documents. We want to ensure that our ISMS documentation is both comprehensive and in line with industry standards.

  • Conformio questions

    We just have a question regarding the documents and then we are happy to upgrade.

    I generated Information Security Policy using the document wizard, but it was missing the following  information:

    • Exception Handling: How exceptions to the policy will be managed is not stated. Usually, there's a process for requesting an exception and how it's reviewed.
    • Consequences of Non-Compliance: Outline what the consequences are for employees who do not adhere to the policies.
    • Links to Other Policies and Procedures: Usually, the top-level policy should link to or reference other detailed policies and procedures (e.g., Access Control Policy, Incident Response Plan).
    • External Parties: You mention that the policy applies to 'relevant external parties'. It might be useful to specify who these external parties are (vendors, contractors, etc.).
    • Review Frequency: You've stated the document must be reviewed every 12 months. It's good to also mention under what other conditions a review would be triggered (e.g., after a security incident).
    • Audit and Monitoring: There's no mention of how compliance with this policy will be audited or monitored.
    • Document Storage and Versioning: Information on where this document will be stored, how it will be versioned, and who will have access should be added.
    • Terminology: While you've defined basic security terminologies, the inclusion of more specific terms used in the document might be beneficial.

    Is there something we missed during the document wizard or anyway to generate the complete document?

    Since we need to provide these policies to our customers and want to pass ISO 27001, that would be great to know how to generate the complete document.

  • Environment and Scope

    As a higher education institution, we operate in a hybrid environment encompassing cloud and on-premise resources, third-party services, as well as both in-house and outsourced application development. Our ISMS scope is currently confined to the IT department. Given this, which assets should we include in our ISMS? 

    Should it be limited to IT assets such as infrastructure, servers, network systems, applications, data centers, UPS, air conditioning, connectivity, and IT human resources? Or should we extend the scope to include departments like HR and Procurement?

    When it comes to setting our ISMS objectives, considering the scope is limited to the IT department, should the security objectives also be confined to IT-related security measures?

  • Apply procedure for document and record control only to information security policies in Conformio?

    In the Conformio implementation step "Procedure for document and record control" the document Purpose states "This procedure is applied to all documents and records related to the ISMS", how can I change that?

    However the Requirements sections reads "You may choose whether these rules apply only to information security policies, procedures, plans and records, or to the documentation for your whole company."

    How do I change the document to reflect that?

  • Can a company be certified by someone who works for them?

    I noticed you have individual certification courses for ISO27001. I was wondering if a company can be certified by someone who works for them.

    For example, I am a contractor for Enhance Patient Finance. if I got ISO27001 individually certified as an auditor could I then certify Enhance Patient Finance as ISO27001 certified even though I am one of their developers/contractors?

  • A.15.2.2 Managing changes to supplier services

    I have read the implementation guidance in ISO 27002 but I am still not sure of what type of controls we should implement to be compliant with the control A.15.2.2 (ISO27001:2013). I understand that this is regarding changes in supplier agreements and/or Terms and conditions, changes in how our company uses the supplier services etc. Could anyone share how you have implemented this control? We have a non conformance from our recent audit regarding this hence my question.

  • Missing ISO27001 References in List of Documents

    Hi Advisera Support,

    just working through your Dokument List PDF File, which I personally really like as an overview of the referrences to the ISO 27001:2022

    BUT in this context, I  am missing some essential referrences, which I would have expected there.

    Are theses intentionally missing there or don't I have the latest Version of he Dokument List PDF

    IMHO, following Referrences to the ISO 27001:2022 are missing: 4.1, 4.4, 5.1, 6.1.1, A.5.1, A.5.2, A.5.3, A.5.4, A.5.6, A.5.8, A.5.34, A.5.36, A.7.1, A.7.2, A.7.3, A.7.5, A.7.8, A.7.11, A.7.12, A.7.13

    Please provide me in which of the Advisera template Doks the relevant Chapters of the ISO are mentioned.

  • Screening and vetting policy

    I am using the Documentation kit to develop our 27001 documents. I can not however locate a Screening and Vetting Policy template - any one able to point me at where it is ?
Page 5 of 542 pages