ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Appendix 1 – List of Legal, Regulatory, Contractual and Other Requirements

    Hi, i don't know how to start this list, i may need clear examples on how to fill this list. Maybe some examples in the document for each will be nice.

    - Legal examples
    - Regulatory examples
    - Contractual examples
    - Other requirements examples

  • Software SaaS company

    I want to better understand as a software SaaS company how to leverage ISO 27001/ 9001- 90003 together with SDLC for agile development and build a support team with ITIL/ ISO 20000. Security and quality without stopping productivity.

  • Risk treatment plan

    Es claro que sobre los activos de información que corresponden al alcance del SGSI se debe definir el Plan de Tratamiento de Riegos. Se debería siempre considerar el SGSI como un activo de información en sí mismo? Y, por lo tanto se deberían identificar los riesgos asociados a su gestión). Por ejemplo: El Riesgo de no definir bien el alcance, el riego de no haber inventariados todos los activos pertinentes al alcance, el riesgo de no definir bien el SOA, el riesgo de no haber definido de manera integral y coherente el Plan de Tratamiento de Riesgos (RTP), etc. Es usual este enfoque? o esto excede al SGSI en si mismo? De antemano gracias por tu respuesta.

    (It is clear that the information assets that correspond to the scope of the ISMS must define the Risk Treatment Plan. Should the ISMS always be viewed as an information asset in itself? And, therefore, the risks associated with its management should be identified). For example: The risk of not defining the scope well, the risk of not having inventoried all the relevant assets within the scope, the risk of not defining the SOA well, the risk of not having comprehensively and coherently defined the Treatment Plan for Risks (RTP), etc. Is this approach usual? or does this exceed the ISMS itself? Thank you in advance for your answer.)

  • Are templates mapped with NIST and CIS 20 requirements

    I have a question regarding the policies and standards that will be customised. Is the template are mapped with NIST and CIS 20 requirements?

  • Legal basis

    Please advise regarding the below

    As a data processor , what is the legal basis of processing the data noting that we need to process the data to provide our services to the data controller and that consent is not obtained from our side and we don’t sign a contract with the data subject however we sign it with the data controller.

  • Query regarding the career with ISO 27001 Certificate

    kindly help me to guide, if the ISO 27001 is the right path for the career. As i have total experience of 6.5 years in a Telecom domain. currently i moved on Telecom security Engineer.

  • ISO 27001 Foundations Course comment

    “List of all the controls from Annex A and any additional controls that might be identified in the risk treatment process”

    “all the controls from Annex A ” means the 114 controls.

    So this should be false and the quiz consider it true.

    I know it’s meant this SELECTED controls from Annex A, but that is not what is written.

  • Managing records kept on the basis of documents

    Hi Advisera,

    a lot of records (e.g. Risk Treatment table, or SoA) that should be created and managed should be according to templates in pdf format. I understand that. But there is a version history in Office365, so that we can check whether they were some unauthorized changes. Is that enough, I mean storing the records in Excel or Word form, not pdf, but with a version history turned on?

  • Network controls

    The ISO 27002 requires (in A.13.1.1) Control: „Networks should be managed and controlled to protect information in systems and applications“.

    I am interested in particular for items f) and g).

    What is meant by “systems on the network should be authenticated“ / „systems connection to the network should be restricted“ ?

    What is meant by „systems“ ?

    Can you please give me some example for better understanding ?

  • ISMS Manual contents

    I'm currently guiding an ISO27001 implementation project and aiding people in my team understanding what documentation needs to be done. A topic that comes regularly is the need for an ISMS Manual. I understand this not a mandatory document and to be honest it takes in lots of repeated (summary) information already in other documents of our ISMS.

    However, I understand some concepts written in this manual may be useful, such as explaining our Information Security organisational structure and the documental framework of the ISMS (what documents do we have, how do we split them into policies, procedures, work instructions, etc.).

    What do you recommend for documenting this type of info?

Page 11 of 437 pages