ISO 27001 & 22301 - Expert Advice Community

Clause 4.1 internal and external issues

We have a question for you on 4.; what is the best way to address this requirement, should we add this verbiage to our 05 risk assessment and risk treatment methodology document (like below) or should we create a separate table and/or document where we list action, who is responsible, timeframe for the items noted below.  My original thought was to include these items in our risk assessment process but would be interested in your thoughts, thanks.

3.6 Organization and Context

The head of EOM Security and Compliance will be responsible for identifying any internal or external issues that could affect the intended outcome of the ISMS.  Internal issues such as resources, training, data storage, organizational roles, tools, EOM software, system processes need to be captured and added to the Risk Assessment Table.  External issues such as cloud providers, customers, the economy, technology, legislation, the environment, all need to be reviewed and added to the Risk Assessment Table if necessary.

ISO Log Retention

Just wanted to know whether there has been any log retention defined in ISO for storing system logs in terms of number of days/years. Like in PCI-DSS, there 's a requirement to store the logs for 1 year, can you please confirm if there's anything as such from ISO perspective.

6.1.3 (f) and acceptance by top management

Quick question: 6.1.3 (f) requires Risk owner to accept the risk treatment plan and residual risks. In your templates (risk treatment plan, Method for risk evaluation and treatment), the risk can be accepted by TOP management. Is this still conform with 6.1.3 (f) or do we have to get approval from all risk owners?

Free Calculator - Duration of ISO 27001/ISO 22301 Implementation

1. A quick question on your calculator..
Q. Number of physical locations.. We have 5 employees who all work remotely. We don't have a physical office. So is this 5 physical locations?

2. another question on the calculator. One of the question asks, will a project manager be assigned (or something along those lines), I ticked 'yes' as I am assigned as PM and I am a Prince2 practitioner. Does this assume a full time employee? I am part time, therefore I wonder if the calculation would be longer if it took that into account?

Application of ISO 22301 certification

I have a question. Can the ISO 22301 certification be applied to a product which aims at ensuring business continuity after a disruptive event?

ISMS Risk Assessment & COSO Enterprise Risk Management

Is there anyone who has implement COSO ERM and ISMS together? Can you use COSO ERM to do ISMS risk assessment? Can someone share how it is being implemented? Do you use any tools?

Can ISMS use its own risk assessment methodology and approach that is different from COSO ERM?

Analysis with each standard and implementation

Como se evalúa para hacer el cobro por el análisis con cada norma y la implementación

Vulnerabilities

Hello Advisera Team,

I have a question about Vulnerabilities in Risk assessment in ISO 27001: is it something which already has place, or something which could potentially happen in the future?

I mean, in your example below, if we have UPS, fire extinguisher, and fire protection, are all those risks not relevant for us? So we don’t enter them in our Risk Assessment Table?