Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Electronic File/Folder structure SOP
My organization is looking to create an SOP on how to create a folders/file structure (electronic). We have lots of documents and everybody organizes their files/folders in their own way and it is a disaster... Does ISO 27001 addresses that issue? -
Internal Auditor from outside
Hello Advisera,
we've hired our internal auditor from outside, and we will receive Audit Report from him.
Do we still have to write the Internal audit Procedure and program, or is it normally what the Internal auditor should provide us in this case?
Thank you!
-
Questions for ISO 27001 & 22301 List of Mandatory Documents
- No 1. Document Code 00, Procedure for Documentation and Record Control. Should this be marked as Mandatory for 27001?
- No 3. Document Code 02, Procedure for Identification of Requirements. Should this be marked as Mandatory? I noticed No. 4, Appendix 1 is checked as Mandatory. Shouldn’t this be part of the Procedure for Identification of Requirement?
- No. 27. Document Code A.12.2, Change Management. Should this be marked as Mandatory?
- No. 32. Document Code A.15.1, Supplier Security Policy. Should this be marked as Mandatory? I noticed No.33, Security Clauses for Suppliers and Partners is checked as Mandatory. Shouldn’t this be part of the Supplier Security Policy?
- No. 34. Document Code A.16, Incident Management Procedure, Under the Relevant Clauses in the Standard, one of the controls display as A.6.1.2, should this be A.16.1.2?
- No. 57. Document Code 10, Internal Audit Procedure. Should this be marked as Mandatory? I noticed No. 58, Appendix 1 is checked as Mandatory. Shouldn’t this be part of the Internal Audit Procedure?
- No. 63. Document Code 12, Procedure for Corrective Action. Should this be marked as Mandatory? I noticed No. 64, Appendix 1 is checked as Mandatory. Shouldn’t this be part of the Procedure for Correction Action?
-
DRP aplicabilidade
Um cliente vai ter uma auditoria de certificação ISO 27001 em julho e o plano de drp já está contratado para entrega em dezembro com contrato assinado. Porém sabemos que em julho não haverá evidências do teste de drp e apenas o projeto comprado com a evolução. Ele quer saber se isso daria uma não conformidade maior inviabilizando a recomendação da certificação. A empresa em questão tem 2 servidores em 2 cidades. Porém, os sistemas NÃO são complementares. Um não suportaria o outro em caso de um desastre. Foi contratado então, a solução de DRP, para aumentar a capacidade do equipamento menor para suprir em caso de interrupção do servidor maior. Já possuem o procedimento de backup, porém, na situação atual, a empresa não conseguira estar operando todos os sistemas em caso de desastre. O projeto contratado estará operacional em Dezembro, mas a auditoria será em Julho agora. A preocupação, é que o DRP está declarado no documento de aplicabilidade, e em julho, não teremos ainda a evidência principal de teste realizado mostrando que o DRP está funcionando. Somente em Dezembro, conforme prometido. A dúvida é se isso será considerado uma NC MAIOR por falta da evidência prática do teste de DRP, ou se seria uma NC MENOR, por mostrar que a situação está contratada para resolver em Dezembro. -
DRP applicability
A customer will have an ISO 27001 certification audit in July and the drp plan is already contracted for delivery in December with a signed contract. However, we know that in July there will be no evidence of the drp test, only the project purchased with the evolution. He wants to know if this would lead to a major non-compliance, making the certification recommendation unfeasible.
The company in question has 2 servers in 2 cities. However, the systems are NOT complementary. One would not support the other in the event of a disaster. The DRP solution was then contracted to increase the capacity of the smaller equipment to supply in case of interruption of the larger server. They already have the backup procedure, however, in the current situation, the company was not able to be operating all systems in the event of a disaster. The contracted project will be operational in December, but the audit will be in July now. The concern is that the DRP is stated in the applicability document, and in July, we will not yet have the main evidence of a test carried out showing that the DRP is working. Only in December, as promised. The question is whether this will be considered a Major NC for lack of practical evidence of the DRP test, or if it would be a minor NC, for showing that the situation is contracted to resolve in December.
-
What does the graphic/pic represent?
What does the graphic/pic represent in this article https://advisera.com/27001academy/blog/2015/02/16/change-thinking-can-stop-59-security-incidents/
-
VDA ISA Certificate
HI, I would like to know if the VDA ISA Certificate overlaps with the ISO27001 and if we can use another template and implement all the controls needed for the VDA ISA, but using your own templates for the ISO 27001. That would mean that when we do the risk assessment we will take into consideration the Excel table from the link above and later implement controls for the ISO27001 on that basis. Would that be enough to have a maturity level of 3 or 4 if everything is implemented and works? Any advice on implementing ISO27001 and VDA ISA in parallel is greatly appreciated and if you have materials that would be useful or even document kits that we can buy, we would appreciate it. Thank you. -
ISMS Implementation Flow
I would like to take this opportunity to thank you for your webinar yesterday.
I would request you to please share some ideas / opinion on the below mentioned ISMS implementation flow in chronological order. Your opinion or suggestion will be a great help for me.
STEPS INVOLVED IN ISMS IMPLEMENTATION
01) Discussion with the top management for implementation of ISMS
02) Planning of awareness programme
03) Define of scope
04) Discuss & document the statutory & regulatory requirements (security) applicable to organisation
4a) Risk identification (HAPPENS PARALLEL)
1) Identification of assets
2) Risk assessment & treatment plan
4b) Scope of applicability
1) Discussion & Understanding of the controls & applicability to organisation
05) Discuss & document the internal & external issues
06) Define & discuss the interfaces & dependencies within the processes in the organisation
07) Awareness training on ISMS certification across the organisation staff
08) Define document applicable ISMS documents, Roles & responsibilities
09) Implementation of controls within the organisation
10) Monitor implementation progress
11) Internal Audit after implementation
12) Management Review meeting
13) MRM outcome implementations & improvements
14) Preparation for external (certification) Audits
-
Integration of 27001 and 27002 in establishment of guidance
To what extent would you integrate 27001 and 27002 in the establishment of guidance to Controls?
-
Risk Assessment Matrix
Attached is the risk assessment matrix we chose to use for our organization when doing ISO 27001 implementation. We think this will make more sense for us than multiplication or addition of 'Impact' and 'Likelihood'. Will there be any issue of using it, does ISO specify a set of matrixes so we cannot use anything else?