Take the ISO 27001 course exam and get the
EU GDPR course exam for free

ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • 27001 audits

    How would I audit a large company who holds their ISMS processes at their head office but have 120 sub sites who mainly only supply construction work for the company. Head office is in *** and about 60 sub sites in ***. My point is, as far as the ISMS is concerned it is operated from the Head office who hold all the clients’ data.

  • Question from ISO 27001 Foundations Course

    When talking about interested parties in clause 4.2. The video starts with saying it is Required to Document interested parties and their Information Security requirements. By the end of the video he says Clause 4.2 requires this analysis to be conducted but not documented. Can this be corrected or documented below the video? Many of the questions on the test cover what is required and not required to be documented, so this just adds to the confusion.

  • Links between 14001, 27001 and 45001

    The real question is are there natural linkages between 14001, 27001 and 45001 that can be built upon in developing the operating systems environment that you want to achieve, and satisfy the requirements of the three in the process. This is what we need to ensure that we're asking the best questions and tasking the people in the right direction. We look forward, not at lagging indicators, but at guiding science.

  • Special Interest Groups

    For ISO27001 a.6.1.4, what would be some examples of special interest groups?

  • SOA Based ISMS Manual

    We have now taken the first steps, but are still waiting for the release of the ISO standard for 2022.

    We also want to align our SOA with this new version. I intend to structure the SOA in such a way that I have a high-level document that only contains the controls and the selection including the justification - the document is also available to customers because they have already asked for it in the certification process. The 2nd level describes the requirements from the standard and our planned and implemented implementation in more concrete terms - this also results in a kind of "Security Management Manual".

    I have attached an initial draft for A5 (Organizational Controls) (2022). What do you think of it, does this procedure suit an auditor?

  • Position Description Question

    I wanted to touch base with you about a quick question. This is about ISO27001 control regarding stipulating Information Security obligations in Position Descriptions.

    We are an ISO-27001:2013 compliant company and we have generic Info Sec roles and responsibilities articulated in our Position Description.

    I wanted to know if there is a need to articulate role-specific Info Sec roles and responsibilities as well in PD’s. For example, a Backup Engineer’s Info Sec roles and responsibilities would be different than that of a Network Engineer. Some views in our company are that it would be overkill as ISO doesn’t mandate going into such details.

  • Necessity to include specific user

    Hi, as an IT Security Engineer I am the "Project Manager" for our company (as a role in Conformio). We have a senior project manager at our company as a consultant for ISO27001. He is sporadically consulted on our documents due to his experience in ISO certification. Do we need to include him in our Conformio and documentation or not with regard to the ISO27001 standard or not?

  • HR as asset and risk owner of SA

    Could you elaborate a little bit more on this one?

    How HR is asset and risk owner of SA, and the threat is social engineering.

  • Asset inventory

    A question arose about the item “asset inventory”: in control A.8.1.1, should the table contain all assets individually or by group as in the risk analysis table?

    Example: In the risk analysis, we identified a group of professionals as “specialist employees” and did the risk analysis on this asset, then in the asset inventory table do we need to define each of these people? Another example: we also defined in the risk analysis worksheet “employees' computers” as an asset, in the inventory table do we need to specify one by one?

  • Career in GRC domain.

    Apart from your foundation what cybersecurity certification I should be looking for as a starter in GRC domain.

Page 1 of 510 pages