ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 ISO 9001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 14001 Product: ISO 27001 Internal Auditor Course
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Different companies in scope ISO 27001

    1 - I have some questions regarding ISO 27001- ISMS scope and organizational units. We are implementing the documentation in two of our companies (same corporate group). The whole Company X is within the scope but only the compliance office in Company Y. We include them both in the scope. Is this correct or do we have two sets of documentation? We are using the same equipment and facility at the moment.

    2 - I also have a question regarding Risk assessment table. To be compliant with the ISO standard- should we change the risks in the risk assessment after the risk treatment? For example, if risk X has been reduced due to implementation of a policy, should we change the risk from e.g., 3 to 2 in the risk assessment? Or should we not change the risks after treatment at all?

  • Internal Audit Report Review

    I have your documents for the internal audit report and the checklist, on the internal report is it acceptable to state that everything was implemented correctly and there was no finding for improvement?

  • Certification process of sister company

    The majority of our finance, HR and other major departments are managed by our parent company, but our sister company wants to become ISO 27001 certified. How do we manage the certification process? Please note that we will require access to the HR and finance departments, for instance. Additionally, we are headquartered in site A and have a branch in site B, but we wish to obtain certification only for site A. How are we going to treat our employees in site B and under which category should we put this?

  • Business Continuity Plan Testing Exercise

    We are planning a BC Plan tabletop exercise for a scenario called Data Centre Power Outage. I understand the BC plan is a product of Risk Assessment and Business Impact Analysis. I just joined this new organisation and all have been given BC Plan. Not sure how risks were assessed and BIA was done.

    Question: Can we include Risk assessment and BIA in the test exercise and ask questions on that? or in other words should we do both analyses during this testing exercise?

    Secondly, What are the most relevant questions we should be asking?

    Many thanks 

    Ash

  • 27001 Certification for Multiple Companies / Geographic locations

    I'm trying to write and implement an ISO 27001 compliant information security management system (ISMS) for the company I work for. Currently we have our HQ the UK (2 office locations plus a test site) and an additional office in Europe. Currently the goal is to have the ISMS applicable to the UK locations and the EU location is scoped out as a subsidary / third party providing services to the UK organisation. The EU office also manages the IT infrastructure of the UK office. I'm not sure the reason the EU is scoped separately but I believe it's to avoid complexity and expense. We share intellectual property and confidential information (just technical, generally no Personally Identificable Information) back and forth between the UK and EU offices and eventually plan to move to a shared cloud database managed by the UK but EU has access and contributes. How will ISMS work in this situation? Are subsidary and third parties considered the same under ISMS? Am I right in thinking that the UK and EU offices needs a contract in place defining the services provided (IT management, design work, etc), including the security requirements the EU office must follow to meet the 27001 standards of the UK office?

  • Auditor definition

    Example: John is Lead Implementor of ISMS, Jack is his colleague from the same team. John's boss (who is also Jack's boss) wants to get internal audit performed by Jack. Is it a conflict of interest for Jack? (Jack was not involved in implementation but he has same boss)

  • Certifications merge

    Is it possible to "merge" certifications for two iso certified companies that are in different "state" like one is in their 1 years,  second is in 2nd years (surveillance audit) etc. after acquisition of another company or do you have to recertify it?

  • BCMS | ISO 22301:2019

    How much time is required for BCMS implementation in a medium sized organization?

  • Entry into the IT department

    1 - I will like to know if iso 27001 standard talks about a single point of entry into the IT department. I will like to know if ISO27001 talks about multiple entry into the IT department and best practice.

    2 - if not, what standard should I look out for

  • Supplier Security Policy Question

    Good afternoon,

    When looking through the Supplier Security Policy, am I correct in stating that this is only for actual services used by our companies? Does this apply to customers of ours? Or in our case, does this only apply to the company that does our accounting? And other companies that we use the services of?
Page 38 of 544 pages