ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Questions about ISO 27001 implementation

    We have purchased the ISO27k toolkit last year (I believe the toolkit with extended support) and started the implementation.

    At this point, we are finalizing the risk assessment and starting the SoA. I now have a few questions. Please direct me to the right person if you are not the appropriate recipient.

    My questions so far:

    1 - It’s not yet clear to me what we must do exactly if a risk from the treatment table is not acceptable and requires some implementations.

    What is the accepted time frame for risks mitigation?
    For an unacceptable risk which requires new controls for treatment, what if we plan the implementation – say – 1 or 2 years later?
    Is it allowed by the standard and/or auditor?
    Will it be visible in SoA’s residual risks?
    In other words, does it have to be addressed before the next assessment, or the next audit, or freely?

    2 - If the risks must be absolutely mitigated “quickly” when not accepted, then we may need to relax the acceptance criteria to encompass them. Can we say:

    Based on a yearly budget, state that i.e. high risks can be accepted only if there is no room left for the implementations in the running assessment… (or financial year… somehow)
    The risk mitigation may therefore be postponed to the next assessment (hopefully not indefinitely..) or “whenever possible”
    Would that kind of acceptance criteria fit with the standards and pose no issue with auditors?
    I suppose that such accepted risks will again appear in the SoA (but it makes sense)

    3 - Concerning the risk assessment:

    Will our estimations of impact or likelihood be strongly challenged by the auditor? (sometimes there is room for debate..)
    Do we have to prepare evidence for each asset assessment or risk, to assist in the verification?
    Clearly, doing so, in advance, and for many risks/assets is not feasible for us
    I guess the focus will be on the SoA instead and how the controls are implemented? (or to explain why they are not)

  • ISO 27000 and ISO 31000

    Which standard of ISO 27000 group or ISO 31000 determine owner of information assets as owner of the information risk? And the informational risk as a operational risk.

  • ISO 27001 certification for a group of companies

    Hello, we would like to certify our company ISO 27001. Since our organization is made up of a mother (holding company) and several subsidiaries, our question is whether certification is possible for all companies at once and what is the procedure. As soon as this question has been clarified, we will tackle the preparation with the help of your template. Thanks for your help in advance.

  • CISO

    ¿La norma exige que se tenga dentro de la empresa un CISO (Responsable de Seguridad de la Información)?
    ¿Puedo tercerizar un CISO?
    Sobre el plan de capacitación, ¿siempre es necesario presentar algún certificado para evidenciar un curso de capacitación?
    ¿Cómo evidenciar los cursos gratuitos donde no se tiene un certificado?
    ¿Los objetivos de Seguridad de información se pueden cambiar en cambiar en cualquier momento o se debe esperar un periodo de medición?
    ¿Si se cambia un objetivo de seguridad, un auditor me puede pedir la medición del antiguo objetivo?

  • 27001/2:2013 framework for Information Assets of OT/ICS

    I am working with leading oil and gas Company ***. I saw you several webinars on online video portals. I appreciate your clear understanding about the ISMS through ISO 27001/2: 2013 framework.

     I want to know your opinion whether the 27001/2: 2013 framework is applicable for Information Assets of OT/ICS (Operation Technology/Industrial Control Systems) such as SCADA, DCS etc..

    Your reply in this regard may be valuable to us for protection of our Information Assets of OT/ICS.

  • AWS

    I have two separate cloud instances in AWS. One is shared among customers and one is dedicated to individual customers. I don't have all security controls enabled on the shared instance yet. When I go in for ISO Certification, can I exclude the shared instance from my scope and certify the dedicated environment only.

  • Incorrect use of product keys

    I am writing to find out the implications of using unlicensed product keys or incorrect licenses on ISO 27001. 

    I have come across cases where there are certain products such as XXX, XXX and XXX that are not correctly used. Product keys were acquired, but the licenses were not.

    I am under the assumption that the control A.18.1.2 requires an organization to use the correct licenses. Would these issues have an impact on certification if they are uncovered within an audit?

  • A.9.4.3 Password Management System

    Hello Advisera,

    looking more detailed at the A.9.4.3.

    What is a Password Management System, is it just a set of rules, as described in Access Control Policy?

    But then, should we describe for which systems do these Password rules apply, and for which not? Or should they be general?

    Thank you!

  • Configuration and Vulnerability Management

    I would like you to show me how configuration and vulnerability management are connected / dependent on each other. and How Configuration management can help in vulnerability management in achieving goals. Would appreciate early response. Thank you.

  • Determining scope

    once the organizations context has been documented how we would use the information to determine the scope. How do I facilitate in such a way that get them thinking about our products and associated processes/activities in a way that exposes the BC risks.

Page 10 of 437 pages