ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit AS9100 Product: EU GDPR Documentation Toolkit
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Conformio risk register, confused by some of the threat mappings for Human Resources

    The Conformio risk register defines the following
    • Threat is what kind of negative thing can happen to your asset because the vulnerability exists.
    The mapping path is Asset to Vulnerabilty to Threat Asset: Employees with specific expertiese ( system admin, security experts ) Vulnerability: Replacement person does not exist or is inadequate Threat:  Earthquake / Fire / Flood / Storm ? Of the 12 items listed, only 2 seem reasonable - breach of contracts and information disclosure Seems like this mapping needs some work, or am I misunderstanding something ?

  • Linking the external/internal issues and interested parties to the risk and opportunities

    For ISO27001 certification, is there also a need to explicitly identify or link the external/internal issues and interested parties to the risk and opportunities? Since for risk assessment and treatment approach, they often started from assets perspective.

  • Register of Legal, Contractual, and Other Requirements - how detailed?

    I am stuck as to where to start on the Register of Requirements for this section. One client may have 30+ contractual requirements. 1 - Do I list each requirement separately or put all 30 of the items in the "Description of the requirement" field? 2 - Do I limit the items to just those that are security related ? 3 - Most of our customers are banks , and we fill out a SIG that has 100's of security related questions, it seems impractical to list all of these in the register for each customer. Suggestions?

  • Recommendations on Security Awareness and Training

    Could you ask one of your ISO 27001 experts for their recommendations on Security Awareness and Training. 1 - How do I get this going in my company? 2 - What will the auditor be looking for in this requirement?  

  • Risks treatment

    Yet another question. Since our company is in the early stages and consists of a small organization, we are able to easily change our ways of working. This means we can also prevent getting into situations where we have risks which are unacceptable. As I understand it, if we're able to implement all relevant controls before entering any ISO27001 certification, then we should be able to completely ignore documents such as the ones regarding risk treatment. This would mean that status for all items in Statement of Applicability is either set to not applicable, or fully implemented. Can you confirm that we are able to ignore the documents related to risk treatment in this case? Also, is it common to do it like this?

  • Clause 4.2 that will lead to the Mandatory document of control A.18.1.1

    Clause 4.2 that will lead to the Mandatory document of control A.18.1.1 inventory of assets - Do you have a Template of this Please ?

  • What ISO Standard does ISO 27001 Auditor follow during Audits?

    Trust you are doing well. We profited a lot from your explanation and course. I have a question which I wanted to ask you: What ISO Standard does the ISO 27001 Auditor follow during the Audits?

  • ISO 27001 vs ISO 27002

    Can you tell me what's the difference between 27001 and 27002? Which standard contains mandatory steps and which just contains best practice advice? How can you tell?

  • Register of Requirements — how detailed should it get?

    Hi, I'm using Confirmio to build out our ISMS and I'm on the Register of Requirements step. I'm trying to get a sense of the downstream impacts of being too detailed (or not detailed enough) here, and whether or not to be aspirational (i.e. list things we're not compliant with yet) or leave them out. Some examples: - A single contract could provide dozens of clauses that each map to a different area within cybersecurity (e.g. privacy, data breach reporting, operational security, secure software design, service level agreements, etc). Do I break down the contract terms into chunks? Or do I add just the contract as a single record? - There are some government policies in place that apply to our customers but not directly to us. It obliges them to implement contractual terms and controls on us, and in some cases they haven't yet this done. So in a strict sense we're not on the hook for these yet, but I'd like to plan to become compliant over time anyway. Do I add them and check non-compliant? So my questions are really two-fold: First, what is the downstream impact of adding these items? Is it more onerous to then complete the ISMS set-up with more items here? Is simpler better? What do auditors expect? And second, what is the impact on having items in this register in a "non-compliant" status as it applies to certification? Does everything need to be green within these registers before we can be certified, or is a working system with non-compliance being tracked of greater interest to an auditor? I'm interested to hear what's worked for others in the real world who've achieved compliance. We're only a small team. Thanks in advance!

  • How to find and choose a good certification body for ISO 27001

    A client of mine wants to be ISO27001 certified, how do you choose which certification body to use, and what is the price of getting the certification.
Page 84 of 544 pages