Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Module 9 - reviewing documents off-site
I am referring to ISO 27001 Internal Auditor Course. In module 9 (Document review at 2:20) it is said the following: "You can perform the document review on-site meaning in the auditee or premises, or you can also do it off-site – in your own office – it really does not matter, all you are doing is reading the documentation." Is this really correct? This documentation is or can be classified and shouldn't leave the premises? I found that statement a bit strange. -
ISMS TIER 1 - 4 Documents
ISO 27001:2013 has categorized documents into Tiers. What are the Tier1, Tier2, Tier3 and Tier4 documents/definitions. -
Incident Response and Business continuity Disaster Recovery instructor led training
I am really looking for instructor led training on Incident Response plan and Business continuity Disaster Recovery planning. Could you help me with that? -
Business impact analyses questionnaire
I requested some information regarding our ISO Business impact analyses questionnaire and what the correct process would be the complete these for our implementation. The response we got was that only document business process should be documented, but we are now again at a point in the process where we are not sure which processes should be listed and if we need to document things like physical links at our office not available. The scenario I can share with you is that we have an office where some of our core systems are located. 1 - What impact analyses should I document? 2 - Do I do a granulate approach and document things like power outages or does things like power outages become a prerequisite to a process not being available. -
Clause 5.1 / internal audit
First I would like to thank you, for all Advisera answers I have received. Answers have been top quality. I have questions about clause 5.1. and internal audit preparations. I am conducting an internal audit before certificate audit and doing my check list. What kind of hands-on evidence I can look for the compliance of clause 5.1, and what kind of questions use, to find and verify them? -
ISO 27001 questions
We would be happy to accept your free offer and have our documents checked by you. I am sending you our current status. In particular, we have the following questions: 1 - We are a translation company and have only identified one general entry - our customers - in the list 02.01 of statutory official contractual requirements. Could you tell us if this is enough? 2 - We obtain standard services from our service providers and do not always negotiate individual contracts. Is it sufficient for our certification if our service providers are themselves certified according to ISO 27001? 3 - As a small company, management and IT have double roles of responsibility, so that the separation of duties is not always possible. Did we take this into account correctly in the documents? How is this to be dealt with in general? -
Asset inventory
In case if we chose IT department as SOW as we have more than 500 employees and more than 5 locations for work. What assets should we include in the inventory? -
ISO 27001 Beginner
Hi, I currently work for a care company in the UK and I've been asked to research about ISO 27001 and how to apply it to the IT industry. I don't really know where to begin, and could use some help. I have been asked to do audits and risk assesments. What I'm asking for is a beginers guide here and someone to point me in the right direction for this. Any help is appriciated. -
Query Regarding Internal Audit
We have been working on the ISO 27001 project using Advisera templates. With regards to the Internal Audit, we plan to conduct the audit based on "ISMS policies" as scope instead of "Departments" as scope as indicated in Advisera vimeo video and templates. This approach lead to some doubts around scope & criteria content in the templates for which we want to clarify with Advisera ISO27001 experts. Can ISMS policies (ex: Access Control Policy, Human Resource Security Policy,..) be scope for Internal Audit Can requirements within the ISMS policies be audit criteria ex: HR screening criteria - BS7858 as per regulatory requirements Internal Audit Program (Scope & Criteria) Scope (What, when, who) - HR Security Policy Criteria (What) - BS7858 (mentioned in HR Security policy) and so on for other policies in our ISMS to be scope and criteria Internal Audit Procedure template (Section 3.2) is proposed to be updated as follows: Scope of the audit (departments, processes, clauses of the standard, etc.) == >> plan to add "ISMS Policies" (to cover HR Security policy, Access Control policy, etc.) as our approach to audit is based on audit of polices instead of departments Audit criteria (standards, legislation and regulations, internal documentation, corporate standards, and/or contractual obligations) == >> BS7858 is a regulatory & contractual obligation from regulator for HR security policy -
Question about A.7.1.2
I have questions about these controls A.7.1.2. and A.15.1. (both are identified as applicable in our Statement of Applicability): A.7.1.2 Terms and conditions of employment / Confidentiality Statement and Statement of Acceptance of ISMS Documents. As I have understand control A.7.1.2 requires mandatory documentation on both above with organization’s own employee. I have difficulties to define contractor part of this control. Does the control require mandatory documentation with contractors (on a supplier contract etc.)? I can see at least two kinds of contractor cases: hired employment (just people from a contractor who is specified in hiring people) and regular IT system vendors (and their own employees) with no employment status with us. Are the regular IT system vendor part up to us to freely define in Supplier Security Policy or are there mandatory documentation requirements? Thank you for your answers.