ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 ISO 9001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 14001 Product: ISO 27001 Internal Auditor Course
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • 27001 questions

    1. Please confirm the following versions of the Mandatory Documents the latest/current versions: ISO 27001 – ver 3.9, 2020-02-10

    2. Within the ISO 27001 Documentation Toolkit List See attachment 27001A

    • No. 57, Doc Code 10, Internal Audit Procedure: This does not have a green check mark as a Mandatory Document, however No. 58 and 59 Appendix 1 and 2 has a green check mark for a mandatory document.  Should the Procedure for Internal Audit be checked as a mandatory document?  See attachment 27001A Screenshot 1.
    • No. 21 – 25, although these are not checked as a Mandatory Document, do we still need to create policies for them and all other documents/appendixes that are not checked as well?  See screenshot 2. This question would apply to ISO 20000 Document Toolkit as well?

  • Relation between ISO 27001 and the IS strategy

    I hope to know the relation between iso 27k and the IS strategy is it part of it or is it considered as tactical process.

  • ISO 27001, ISO 20000, ISO 9001 question

    1. Is there a possibility to integrate ISO 9001 with 20000 or this is not recommendable? If this is not recommendable, how will the usage of the three management systems according to the three standards (9001, 20000, 27001) be facilitated?

    2. What outcomes could be expected within the certification process provided that we have developed the systems in compliance with the applicable standards:

           a. One integrated management system?

           b. Separate systems for each of the three standards?

           c. One system for 27001 and one system integrating 9001 and 20000, each of them with different scope?

  • Describing assessment of confidentiality

    1 - Doesn't ISO 27001 have to describe an assessment of confidentiality, integrity and availability? In the risk analysis, I only evaluate according to threat and weakness. These have an effect on confidentiality, integrity and availability.

    2 - For example, I find the Business Impact Analysis at the BSI. Don't I have to do this in ISO 27001 as well?

  • Interested parties, external and internal

    As part of Iso27001 I know we are required to gather context of interest parties identify external and internal context. To satisfy auditors does this have to be in a document format like a policy?

  • Assessing maturity level of ISO/IEC 27001 implementation

    Are there models to assess the maturity level of ISO/IEC 27001 implementation? Kindly recommend some.

  • Defining an ISMS scope

    A client wishes to become ISO 27001 certified. My company is a very small ICT firm working in the same building and on the same network as this client (same ip-scope). How should I define their scope?

  • CSP - CSC - end user in iso 27017

    I would really appreciate your opinion on this iso27017 matter. This is the case.

    Company A is ISO27001 certified for the ".... management of cloud infrastructure (IaaS)"

    Company A does not have its own data center.

    Company A provides IaaS services based on cloud resources and technology of a Big provider (such as MS Azure vmware solution) with which Company A has a contract.

    Company A wants to integrate iso27017 to its current iso27001 certificate (which already includes IaaS services).

    From an iso27017 perspective, is company A to be considered cloud service customer or cloud service provider or both? And why?

    Thanks in advance

  • Performing Risk management according to ISO 27005

    How to perform practically and step by step the Risk management according ISO27005 ?

  • Question for ISMS ISO 27001

    We bought the Docu Kit and again I have a question about the ISMS.

    The ISO 27001 standard requires that an information security policy be formulated and made known (5.2). The standard does not specify which scope (or area) of an organization the information security policy must cover. Is it possible that overall policies are valid for multiple areas (locations, sides) within an organization, whereas some policies are only valid within the specified scope of the ISMS?

    An example:

    Our company has several locations and the information security policy applies to all locations here in XXXX. However, the actual scope of the ISMS is only a subarea of a certain location. Therefore, can the information security policy be valid in its entirety while certain procedural instructions of the ISMS apply only for the ISMS scope? This would mean that there are documents in the ISMS with general validity and also documents that only apply to the ISMS.
Page 103 of 544 pages