ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 ISO 9001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 14001 Product: ISO 27001 Internal Auditor Course
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Organizational chart - ISMS

    I am the Quality Manager at *** and I am in charge of implementing ISO 27001 in the company. For this purpose, we have purchased the ISO 27001 Toolkit from Advisera, exactly ISO 27001 Documentation Toolkit English (with extended support). 

    In our case, we have a question that we would like to clarify with you, as we are sure you have seen more cases like this in many other companies.

    *** is a small company (around 20-30 people) that is in a growth and expansion phase (in the next few years). As we are a manufacturer of custom-made medical devices, we have a Quality Management System according to ISO 13485 (applicable to medical device manufacturers) in place in the company.

    Now, in defining and implementing ISO 27001 using the materials provided by Advisera, we see that there are many overlapping aspects between ISMS and QMS.

    In all the material that Advisera provides in the ISO 27001 toolkik you mention the figure of the CISO or Information Security Manager. In *** all these tasks are being managed by the QARA Manager, which is me in this case.

    Does ISO 27001 require the presence of a CISO or an Information Security Manager in the organizational chart?
    What are the roles that must appear in the organizational chart by ISO 27001 requirement and that we should include in the current *** organizational chart?

    Could all these roles be covered by Spentys’ current QARA Manager?

    What do you recommend in this regard?

  • A proof for fulfillment of requirement A.9.5.1 from ISO 27017

    Our certification body has asked us to show the proof of implementation of A.9.5.1 from ISO 27017: "Risk assessment performed and mitigating controls to address risks imposed by customer-developed/supplied software in the cloud environment. (s1)"

    Could you please give us some examples on what kind of proof we would need to present to the certification body?

  • Control A.11.2.4

    When looking at control 11.2.4, does this apply to all equipment? Or, just equipment crucial to business continuity? We do not have any equipment owned by the company other than laptops, so we are just looking to see what we need to do in terms of servicing our equipment.

  • IT Security Policy too narrow

    We are using the wizard to create the IT Security Policy, and we found that the context in the IT Security policy is too short and seems that it cannot meet the requirements of ISO 27001. For example, the context in the IT Security policy didn't make any references to SOA controls. How would you advise how we can complete the IT Security policy according to the ISO 27001 standard?

  • Scope definition

    In your opinion if several registered entities with different natures of business (e.g., data operator, business optimisation consultancy, publication house, and a financial service provider) are part of a registered holding company, how do you determine the ISMS scope, would it pass an ISO audit if the holding company drafted an Acceptable Use Policy or Wi-Fi AUP with expectation of a "one size fits all" entities?

    Or would each entity have to have a separate policy that aligns to the holding company's security objectives as far as it applicable to them on an individual basis?

  • 27001 audits

    How would I audit a large company who holds their ISMS processes at their head office but have 120 sub sites who mainly only supply construction work for the company. Head office is in *** and about 60 sub sites in ***. My point is, as far as the ISMS is concerned it is operated from the Head office who hold all the clients’ data.

  • Question from ISO 27001 Foundations Course

    When talking about interested parties in clause 4.2. The video starts with saying it is Required to Document interested parties and their Information Security requirements. By the end of the video he says Clause 4.2 requires this analysis to be conducted but not documented. Can this be corrected or documented below the video? Many of the questions on the test cover what is required and not required to be documented, so this just adds to the confusion.

  • Links between 14001, 27001 and 45001

    The real question is are there natural linkages between 14001, 27001 and 45001 that can be built upon in developing the operating systems environment that you want to achieve, and satisfy the requirements of the three in the process. This is what we need to ensure that we're asking the best questions and tasking the people in the right direction. We look forward, not at lagging indicators, but at guiding science.

  • Special Interest Groups

    For ISO27001 a.6.1.4, what would be some examples of special interest groups?
Page 36 of 544 pages