ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 ISO 9001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 14001 Product: ISO 27001 Internal Auditor Course
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk Statements

    Hereby a question on how to write good risk statements using the known ISO risk component from 27005, Annex D (Threat, Vulnerability). Various articles (e.g. ISACA) highlight a risk statement on the formula: [Event that has an effect on objectives] caused by [cause/s] resulting in [consequence/s]. Can that in the ISO world be translated into: Threat (that has an effect on objectives) caused by a vulnerability resulting in a business consequence. So taking 27005, Annex D, the first row in the table, the Risk Statement will be: There is a risk of "breach of information system maintainability" due to "insufficient maintenance installation of storage media." This may lead to XWY. Or is it the other way round. That the risk is the "vulnerability"???

  • SAMA and ISO 27K: common control

    can i understand the common control between SAMA and ISO 27K

  • A.11 Domain Requirements List

    Please i want to know the specific requirements to achieve the A.11 domain of ISO27001 certification. My organization is considering becoming ISO certified

  • Controls for Stage 2 audit

    Hi, do I need to have implemented and be able to evidence all of the controls identified in the SoA for the Stage 2 audit or can I state which ones are fully live and which are still in progress.

  • Annex 12-4

    Please sir in the toolkit of ISO 27001 under the Annex 12-6 there is a table for the level of logging by device type. Please can you throw more light on this form me?

  • ISMS system

    Thanks, Dejan. This is useful. Usually, most companies would have their best people in front of the customers. Sadly when it comes to implementation they are not around and the entire activity is left to inexperienced folks who usually go by the book.

    1. What isms documents do the auditors look at?  Or to say which document is critical to iso certificationWe have put in place an isms system. We are yet to perform a gap assessment to evaluate how far we have progressed in the journey. To me, this is the time ( prior to gap assessment and then certification) to assess how much of what we have written is applicable i.e of relevance in context to changing business requirements, to organization appetite for investment, and then amend the isms to appear more practical.

    Does the above mentioned is relevant?

    2. What isms documents do the auditors look at?  Or to say which document is critical to iso certification

  • ISO 27001 certification

    How can I get certified within 3 months?

  • Scope of BCMS

    How to define the scope of BCMS and start implementing. Do I have to include all the functions in the Organisation to go for ISO 22301 certification?

  • PDCA definition

    How can I define the activity in each PDCA and the time for each one? What is the activity example to start the project? If you can give me an answer for both ISMS implementation and Risk treatment plan, that would be great.

  • ISO 27001 implementation

    1.Do I need to list individual software licenses in the risk assessment or can they be put into broader categories? I’m thinking ahead to an eventual audit and what an auditor might want to see to show that we are taking everything into account.

    i.e.
    Software tools that may contain PII and/or confidential information
    Software tools that do not contain PII and/or confidential information

    And do they need to be separated by whether they are run on premises only or in the cloud?

    Or, do I need to put:
    Salesforce.com
    Microsoft Office,
    etc and list all threats/vulnerabilities of each?  We have a list of all software tools that contain PII for GDPR already in the Appendix – Inventory of Processing Activities.

    2. Is there an easy way to know which controls would apply for each vulnerability? I.e. a mapping to the vulnerabilities that are pre-populated in the Risk Assessment? I think that each vulnerability listed probably has a specific control so having a mapping would save a lot of time vs trying to match them one by one.

    3. When creating the risk assessment using the Asset-Threat Vulnerability method and assigning a Likelihood do we take into account the current state of that risk given our already implemented (pre-ISO27001) controls? i.e. if we have multi-factor authentication the risk of access to our email system is lower, therefore would we put a lower number for likelihood? I assume this is the case, but am not clear.

    4. Do you suggest using the OCTAVE Allegro worksheets (or something similar) for polling the risk owners while creating the Risk Assessment, or is there a questionnaire available that can be sent to them with specific questions that I am missing?

Page 162 of 544 pages