ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 ISO 9001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 14001 Product: ISO 27001 Internal Auditor Course
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • List of legal requirements

    Just finished the first 3 day audit for ISO 27001 and it went quite well :-). I have, however, to fill a list of Legal requirements. This is what I get from https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/:

  • Documentation content

    1. IT Security Policy: The following two lines are not (technically) implemented, is it obligatory to implement these in case Mobile Device & Teleworking is applicable?

  • Becoming a lead auditor

    What are the criteria for being a Lead Auditor?

  • Access control and working in secure areas

    I'm having trouble to decide what information should be included in A.9.1 Access control policy and which in A.11.1 Policy for working in secure areas. A.9.1 refers to rules for access to various systems, equipment, facilities and information, based on business and security requirements for access. A.11.1 refers to the definition of basic rules of behavior in the secure areas. So, the second one is obviously referred to physical areas while the first one is more general. I find it kind of confusing.

  • Elaborating a security policy

    I know that information security objectives are not the same exact thing as information security policies. However, I find that the essential elements that I wish to capture in a simple policy statement can be crafted from the objectives in Annex A.

  • Mandatory documents

    As I have been appointed a task of creating an overall IT Security policies and procedures documentation, I have chosen ISO 27001 guidelines to help me define the scope of documentation required for my company to be ISO certified this year + submit the documentation for one of the security requirements imposed by the UK tender framework.

  • Categorization of assets

    Regarding asset identification, when dividing into primary assets(business process and information assets) and supporting assets (hardware, software, people, documentation etc) - how should you assess regarding information assets what is categorized as a primary asset vs a supporting asset?

  • ISO 27001 implementation and certification

    I work as a freelance, a company asks me to implement the network and manage it in such a way that the most important asset is the information, they tell me that it applies ISO, my question is if applying the standard is the same as certifying? If I apply the standard but do not certify I'm not sure what happens? I need to understand the subject.

  • Risk assessment

    I am working on my risk register now and I have identified 100 threats. How many usually are identified?
Page 251 of 544 pages