Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Lead Auditor / Lead Implementer
1. If someone enrolls for ISO 27001 Lead Auditor/Lead Implementer training at ISO accredited training provider and passes the exam, he/she/they will automatically be eligible to include ISO 27001 Lead Auditor/Lead Implementer at the end of his/her/their complete names? 2. Related to question #1, how to ensure someone’s else credential in ISO 27001 Lead Auditor/Lead Implementer certification? Any URL to validate it? -
Conformio questions
1. Can I treat the Project Plan as a statement of intention? If we do not meet the deadlines we have set in the Project Plan, would this be a problem during certification? 2. At the end of each document in the wizard, there is a set review cycle of 6 months or 12 months depending on the document. Why is this set in such a way and could I change it? -
DevOps
If my technology firm outsources DevOps, on an asset register (on which to base a risk register) do I need to know make and model of hardware/software used by the outsourcing organisation or is it sufficient to log that the outsourcing organisation represents a risk as they are a third-party? -
Risk register
"I deselected some controls to see where the residual risk would change from 0 to 1 to 2 to 3
When I deselected some controls the residual risk went from 0 to 3, nothing in between.
When I re-checked all of the controls the residual risk remained at 3.
How do I reset the value back to 0?
How do I get a residual value of 1 or 2?Asset: Network equipment
Vulnerability: Rules for IT/communications equipment not clearly defined
Threat: Interruption of communication services
Which items to select? -
Sample data for MSP
I’m currently trailing the use of your Conformio platform in our environment. We are a managed service provider, offering hosting of specific financial consolidation platforms as IaaS through cloud providers (more specifically, ***). I understand that ISO27001 documentation is very specific to a case organization, but I also believe a large part of the documentation to be … “standard”. If I were to remove the specific software platforms that we host and consult on, we are just another *** Provider. Do you have sample artefacts, such as risk registers or statements of applicability, that apply to organizations like that? -
Copying documents
Why auditors copy documents from one organization to another? Is it to make their jobs faster or to use it as a start point in for the new organization? Though it was stated in the training that copying documents is not a good practice. -
Conformio - setting up people and departments
I am starting on the list of requirements. As far as contracts are concerned, I understand that we specify the clause(s) of the contracts and what they require. So, that seems fine so far. What detail is required As far as legislation is concerned I’m not sure how specific we get. For example, in relation to the UK GDPR/Data Protection Act 2018 do we just specify “Article 5(1)(f) of the UK GDPR - Integrity and Confidentiality (the security principle)”. You have a helpful list of legislation that may possibly affect ISO 27001. Do you have a more detailed analysis showing which parts of those acts etc are specifically relevant to ISO 27001. For example, I believe that the Human Rights Act and the Freedom of Information Act only applies to public authorities. There are quite a lot of acts etc that I have heard for but don’t know in detail e.g. the Electronic Communications Act 2000. Do I have to work through all of these to see if they apply to us? That looks like a long job! Valid from and deadline dates What are these dates aimed at? -
ISO27001 Implementation
Good day
I trust this email finds you well.
I have a question; I wonder if I may ask. I understand preferably your services is in fact your income, so I don’t want to seem as though I am taking advantage.
We are a software development house, planning on implementing ISO27001. I am going through the webinars and also the Foundations Course.
May I ask, the controls start at 5 (5.1) – is this because this is where the 27001 family starts? We just want to be sure not to miss Controls. If there are 114 (in 40 sections) Controls, I take it not all of them fall under ISO27001 – that is why not all 114 are listed?
-
Scope in Conformio
Thank you for offering assistance. We have started gathering interested parties and requirements.
We are struggling with the scope of this list.
For example, ISO9001 covers the “local community” as an interested party…. But I presume this is not applicable here because they have no interest in our ISMS and our ability to prevent a breach. If it is limited to people who have an interest in our ISMS and our ability to prevent a breach then it would be easier.
Our client may have concerns about our ability to keep the documentation and passwords that we possess on our systems safe from a breach.
But services we provide to them to keep them/their systems and data safe from a breach are not in scope I believe…? But we need to clarify that.
Any guidance you can offer would be greatly appreciated.