Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risks registered is not effectives
We are SMB organization with 200 employees and 13 IT staff , the scope of implementation is only for IT department !! We are implementing ISO 27001, the main challenge with is to identify and register the risks on an effectives and realistic manner, We are working with the third party and they delivered 140 risks registered , we have couple of comments on the risks registered as the following 1- registered risks are not realistic and it's near to issue registered not risks 2- most of the risks registered are repeated with different way 3- 140 risks registered is very too much to manage it and maintain it third party is used risks based on asset group !! is it making sense, how we can resolve this issue ? -
ISMS
I have some additional queries. 1. Within the document of the scope of the ISMS in point 3.3 Networks and IT infrastructure, should the network segments, IT Infrastructure (routers, switches, etc.) be fully detailed or is it enough to place a graphic of our diagram network? 2. In the ISMS implementation project plan Doc, point 3.1 Project objective, can the date that is set as a limit be changed as the ISMS implementation progresses, or should that date not be changed once? what has been defined? 3. In the ISMS Implementation Project Plan Doc, point 3.4.2 Project Manager, can two or more people be designated as project manager, or can it only be one person? 4. In the ISMS implementation project plan Doc, point 4 Management of saved records, within the table is only the project plan document detailed or should all the documents that are of the ISMS be detailed (e.g. scope document , security policy, etc.)? -
ISO 22301 - 4.2.2
I have attended a number of your webinars and on many occasions, you have provided additional references for the implementing ISO 22301/27001. We are in the process of implementing ISO 22301. In my experience, I have not implemented or worked on the full scope of an ISO 22301 implementation as we are doing now at ***. The Project Manager here has requested: Activate your network to seek for someone working in a company that is ISO 22301 (preferably) or 27001 certified who'd accept to tell us how 4.2.2 was implemented 4.2.2 Legal and regulatory requirements The organization shall: a) implement and maintain a process to identify, have access to, and assess the applicable legal and regulatory requirements related to the continuity of its products and services, activities and resources; b) ensure that these applicable legal, regulatory and other requirements are taken into account in implementing and maintaining its BCMS; c) document this information and keep it up to date. I have not worked for a company that has achieved certifications. In my experience this information was identified as we worked through BIAs, BCPs, DRPs, etc. We have already done some identification of legal and regulatory requirements in an initial discovery for developing the Context of the Organization. Obviously this is not a one-and-done effort, but we have not developed a process. Would you be able to share any insights/information on this? -
27001 question
I work for a 27 employees software company with remote workers. I’m having a few difficulties defining the asset register and would appreciate your view. We are using the Asset type of “Internally developed software” to encompass all software products we build for sale. However, we have several software products. Some are sold to customers for on-premise installation and use, whilst others are SAAS products residing in the Azure cloud (within our control). Additionally, we could partition our software into further categories or even individual products where they have different risks/vulnerabilities. 1 - My question is, how granular should we get? 2 - Would an auditor need to assess individual product risks because one product uses more 3rd party service than another? -
ISO 27001 and ISO 9001
Can the RA for 27001 be incorporated into a companies ISO 9001:2015 register. -
Help: Creating risk management plan under ISO27005
Hi, I am after some help with creating a risk management plan, I have completed the work but have a few questions. The methodology I chose to apply was ISO27005, but I am unclear on whether the risk communication and risk monitoring review sections are mandatory? Actually which parts are mandatory? Another thing I am not clear on is how I am supposed to provide justification of the risk treatment options. Is this something which is necessary under ISO27005? Thanks -
ISO 27001 lead auditor
Hi, I am working through the video lectures again in preparation for the ISO27001 lead auditor exam, This question Module 8 - Understanding auditing standards What is certification? Please watch this video and after completion proceed to quiz below. To complete this unit, please click “Next unit”. The question is A business can become accredited to ISO 9001 if it is required by their suppliers. And the answer is False – correct. A business can become certified to ISO 9001, but their certification body must be accredited. This answer does not seem to match well with the question. -
Conformio Questions
*In the Procedure for Document and Record Control under #5- Managing records kept on the basis of this document: in the table under "Record Name", what goes there? We will be storing any external records pertaining to our ISMS in a folder on Confluence. What about the "Storage Location" - does that need to be a link or just "Confluence Folder" noted? -
Conformio risk register
I have a few questions regarding Conformio (trial). 1. First, a question about risk management methodology (the process) could you elaborate the logic behind that, is it different than in your toolkits (RA and RT) tables? Because, I haven’t used the vulnerability - threat approach, I am confused that you must choose applicable control to vulnerability and then again to threat? Or, are these applicable controls, controls which are already implemented safeguards in our environment? and we have to consider them when we do risk evaluation (the next step, these controls are already included in the risk level)? 2. Can you adjust controls also (make your own), or are there ISO A-attachments related controls only? 3. I can’t seem to adjust residual risk manually (after I have added controls appropriate to treat the risk), why is that? -
Conformio
1. ISO 27001:2022 How will the new ISO 27001:2022 affect Conformio and created policy documents? Is it wise to already aim for certification against the new standard? Does it make sense to already start implementing the new version and not the old one? 2. ISO 27001 marketing In a video accessible from Conformio, there's a statement that the time for the project manager is 0,5 day/week. That seems like too little to me if it also assumes doing consulting and guiding the organization through the certification process, such as reading, preparing, reviewing and approving documents, or performing the risk assessment and drafting implementation plans for controls. Also such statements undermine the work of project managers and consultants. What is the use of being a Lead Implementer or of all the information on your website if e.g. a secretary could run the project?