ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 ISO 9001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 14001 Product: ISO 27001 Internal Auditor Course
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • A.8.2.2 Labeling of Information

    Thank you for the meeting we had last Friday. As discussed, “A.8.2.2 Labeling of Information“ is not applicable for us while “ and I deactivated the control in SOA. However, in the following steps I see there is the “information Classification Document” which requires a responsible person and also defining the labels in 3.2.2 (Confidentiality levels – see the below table).

    https://i.imgur.com/CNeXGLN.png

    I’m wondering if there is a way to remove Labeling in this case or is it enough manually we have put Not Applicable (N/A). Or if we have A.8.2.1 then is mandatory to have A.8.2.2 as well?

  • ISO 27001 vs COBIT

    ISO has certification for Organizations such as ISO 27001, do the COBIT is competitor and also have certification for Organizations like ISO?

  • ISO 27001 single templates

    Thanks for your mail - I actually noted afterwards that I was able to view the docs.

    Can you please assist with which template is the correct one? To cover the following according to the SABS standard document:

    Clause 4.1. 
    4.1 - External and Internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome/s of its information security management system
    And 
    Clause 4.3
    Determining the scope of the information security system

    If you can guide me in the right direction - I will purchase the single documents as I go along.

  • Documentation request

    We got a peculiar request from a customer. Although we are ISO27001 certified a customer is insisting that we provide a full list, the following documents.

    It is the first time we are asked of this, and I was curious if you came across it in the past and have any ideas on how to proceed.

    Thank you

    ·  Context of Organisation

    ·  ISMS Scope

    ·  ISMG Governance

    ·  External & Internal Issues and Interested Parties

    ·  Risk Assessment and Treatment Methodology

    ·  ISMS Risk Assessment: Asset Register and Risk Treatment Plan

    ·  Information Security Policy

    ·  Training Matrix

    ·  ISO 27001 Training & Awareness Schedule

    ·  Information Classification and Handling Policy

    ·  Monitoring and Logging Policy

    ·  Corrective Action Register

    ·  Access Control Policy

    ·  Acceptable Use Policy

    ·  Production of Software Policy

    ·  IT Procurement and Third Party Security Policy

    ·  Incident management policy

    ·  Intellectual Property Policy

  • Clause 4.1 in Conformio

    How to satisfy ISO 27001 standard clause 4.1 in Conformio? Please advise.

  • Question on risk assessment

    One thing that I cannot understand is why we do need to maintain 2 separate documents, 1 for Risk assessment and 1 for Risk treatment. Let’s say, I have a Risk assessment excel spreadsheet containing 500 rows representing each risk which I maintain and keep updated accordingly (risk identification+ analysis + calculation is always completed).

    Now I need to transfer all those 500 Risks to another excel spreadsheet to determine what are those appropriate controls that can put in place in order to treat risks respectively.

    My question is whether I can have a merged/combined document to maintain including for both tasks. I have my Risk assessment excel document with all required columns (risk identification+ analysis + calculation, etc.), and what I need is to add another 5-6 extra columns required by the Risk treatment plan and have them all in one.  Is this right?

  • ISO 27002

    I purchased ISO 27001 TOOL KIT IMPLEMENTATION from your team last year and has been very useful.

    Please ill like to get a professional advice. I am currently implementing ISMS FOR a client. using ISO 27001 FRAMEWORK. Now, is it advisable to use the new ISO 27002 CONTROLS released February 2022 or i Should stick to the older version.

     

  • Control 6.6 – Confidentiality or Non-Disclosure Agreements - NDA compliance

    Hi, I have a question on how to audit the following:

    The company (Xcompany) where I work has acquire another company (Ycompany), so now (Ycompany) is part of (Xcompany), in this way, their employees needs to sign new NDAs with (Xcompany) right? or if they already has NDAs signed whit (Ycompany) it is no necessary?

    Thank you for your help

  • Backup Policy and the Cloud Storage

    Concerning the backup policy provided in the Toolkit, the company's data is stored at **** Cloud which we obviously do not manage.

    The backup is done automatically and in case of deletion of files/folders, we just have to restore the deleted files/folders thanks to the web interface.

    Do I have to indicate this in the backup policy?

  • ISO 27001 Stage 1 & 2 Audits

    I have been advised that UKAS rules state, following a Stage 1 audit, the Stage 2 audit must be carried out within 3 months of the Stage 1. Please could you confirm if there is indeed a time limit between the audits, and if so, advise what this time limit is.
Page 35 of 544 pages