ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 ISO 9001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 14001 Product: ISO 27001 Internal Auditor Course
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk Management and ISMS

    1. What is the best way to do risk management?

    2. How do I raise awareness for information security?

    3. How to setup an ISMS which is used with excitement? How do I get colleagues all across the organisation to not only understand the necessity, but also the advantages of an ISMS for their daily work?

  • Contingent Worker Definition

    Is there a concrete definition for contingent workers per the ISO Standard?

  • ISO 27001 Scope change

    We are coming up for re-certification this year for ISO27001. We were all in an office in *** but since the pandemic we have all been given new contracts and are permanently WFH now. Since the scope only contained services and company owned hardware at the *** Office, this cannot stay as is. I was wondering if I was to change the scope to say "Company owned assets"? If I was to change this will it exclude home routers etc., or will I need a new policy for updating home security devices? We have many layers of security in place, including encryption, MFA, conditional access policies etc. Just looking to make the scope correct for the new world we find ourselves in.

  • Scope definition

    Hi Dejan,

    I’m from a multi-academy trust which is made up of XXXX schools. We have over XXXX students and XXXX staff, so for our scope, we’re looking at the IT department, rather than the whole organisation.

    However, the more I look at the this, the more confused I’m getting!

    Clauses 4.1 and 4.2, are they based on the organisation as a whole, rather than the department in scope? It seems like even clause 4.1 & 2 is a huge task, and identifies things that aren’t covered by the IT department. It seems odd to identify these issues as an organisation, only to not cover them as they aren’t covered by our scope.

    Also, in terms of interested parties, would our students count? If so, would it be over the age of consent in GDRP terms of, or all ages?

    Also, do you know if any schools or multi-academy trusts in the UK have achieved ISO27001? If not, are there any resources or information you could point me too that are focused on educational establishments that I could gain some guidance from?

    Finally, (apologies this may be oddly worded!) but as the IT department, does that just cover the processes/information used by them, or does it also mean the services/equipment the IT department provides for others to use? Such as require 2 factor authentication for staff in other departments to login to a service?

    We’re also going to purchase the documentation and support pack with you, but our ordering process can take a little while, so just wanted to get these couple of questions out in advance!

  • Establishing context

    how to concretely establish the context?

  • Configuration Management Policy & Procedure

    For our ISMS we need to have a "Configuration Management Policy & Procedure" to address the requirements of external parties (ex: regulators).   I do not see any template for the same in the toolkit provided. Kindly assist on the Configuration Management Policy to help address below requirements. - A configuration management policy and procedure including a baseline of the software configuration of individual assets - baseline config is part of asset register & standardized - Documentation supporting a detection solution in place within the User Systems - only system admin have access to install - The implementation of solutions to detect and prevent the installation or execution of unauthorized software - only system admin have access to install - Documented procedures for reporting and remediating the installation or execution of unauthorized software - only system admin have access to install

  • Question regarding NDA

    Would like to know whether the certified under ISO 27001 party should obtain from the employees of the outsourcer NDAs or the NDA between the outsourcer and the party is sufficient.

  • ISO 27000 and ISO 20000 - which to go first for?

    Which certification to go for first between ISO 27000 and ISO 20000 as an IT Risk and Compliance professional?

  • Technology to enforce and attest ISO 27001 controls

    What technology can be used to enforce and attest ISO 27001 controls (e.g., password policy) in a cloud SaaS environment?

  • Records or Documents

    Hi. I'm trying to decide whether Risk Assessments and Risk Treatment Plans would be considered documents or records. In other words, should they be version controlled? Or should they have specific record retention periods?
Page 105 of 544 pages