ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 ISO 9001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 14001 Product: ISO 27001 Internal Auditor Course
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 questions

    Estimados Señores Advisera

    Agradeceré su apoyo con las siguientes preguntas:

    1.            En una pregunta anterior, sobre si era correcto que el CISO realice las auditorías internas, su respuesta fue que se debe buscar a otra persona porque el CISO no puede auditarse así mismo. Esto me lleva a la siguiente pregunta ¿En las auditorias solo debe participar el CISO, es decir está dirigida solamente a este rol o también participa otro personal de la empresa que debe ser auditado?

    2.            ¿Los procedimientos que elaboró un área de la empresa (por ejemplo área de recursos humanos) también son auditados o solo los que la norma indica como obligatorios?

    3.            ¿Es obligatorio que cada área de la empresa elabore sus documentos o procedimientos de cómo operan?

    4.            El apartado de la norma 7.1 habla de presupuesto financiero ¿Cómo se debe presentar este documento en una auditoría?

    5.            Respecto a los riesgos, se decide revisarlos después de haber aprobado la auditoría (al menos una vez al año), en esta segunda revisión si un riesgo ya fue controlado con un control del “Anexo A” ¿Se debe volver a considerar en la nueva evaluación o solo se consideran los nuevos riesgos que se identifiquen? ¿La nueva lista de riesgos reemplaza a la anterior o solo adiciona los nuevos?

    6.            ¿En una auditoria de seguimiento (o mantenimiento) pueden quitarnos la certificación?

    Dear Sirs Advisera

    I will appreciate your support with the following questions:

    1. In a previous question about whether it was correct for the CISO to perform internal audits, your answer was that someone else should be sought because the CISO cannot audit itself. This leads me to the following question, should only the CISO participate in the audits, that is, is it directed only to this role or does other company personnel participate that must be audited?

    2. Are the procedures developed by an area of the company (for example human resources area) also audited or only those that the standard indicates as mandatory?

    3. Is it mandatory for each area of the company to prepare its documents or procedures for how they operate?

    4. Section 7.1 of the standard talks about financial budgeting. How should this document be presented in an audit?

    5. Regarding the risks, it is decided to review them after having approved the audit (at least once a year), in this second review if a risk has already been controlled with a control in “Annex A”, should it be considered again in the new assessment or are only new risks that are identified considered? Does the new list of risks replace the old one or just add the new ones?

    6. In a follow-up audit (or maintenance) can we remove the certification?

  • Risk assessment

    Where do you assess your assets relating to confidentiality, sensitivity and integrity principle? And how do I incorporate this in the Risk assessment? In other words, should an asset have a high rating in sensitivity, how does it affect the impact?

  • Auditing integrated ISO 27001, ISO 20000 and ISO 9001

    I have a question regarding the ISO auditing process. 

    My company is trying to do an integrated ISO management system with ISO27001, ISO20000 and ISO9001. Can each of standards be audited individually or must we implement all first and then go for auditing/certification?

  • Annex A section 5.1

    I have had one of our ISO reviewers internally – asking why we don’t have Annex A section 5.1 (5.1.1 and 5.1.2) documents as part of the kit we purchased, or if these are covered in other sections?

  • Is ISO 22301 mandatory for audits?

    Is ISO22301 mandatory for audits like e.g., ISO13485?

  • ISO2 7001 / 2 website changes

    Hi - wanted to get your thoughts on the impending version of ISO27001/2 and if you will be covering the changes via your website soon?

  • Security of information that pertains to computers only

    My question is: Does the ISO 27001 standard (Information security management systems — Requirements) talks about security of information that pertains to computers only? Or is it talking about information security in general, I mean traditional paper information too?

  • Control mapping document

    Is there a control mapping document between ISO 27k and 22301

  • ISO 22301/20000/27001 integration

    How to integrate ISO 27001, 22301, and 20000?

  • ISO 27001 and NIST 800

    How does ISO 27001 complement or conflict with NIST 800?
Page 104 of 544 pages