Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
No budget to implement control A.8.12 Data Leak Prevention
Control A.8.12 DLP is relevant to us as Intellectual Property that's stored largely on Google Drive is one of our most important assets.
However, we do not have the budget to enable Google's DLP rules.
How do we explain this in our documentation in a way that we still pass the ISO 27001 audit?
-
Confidentiality Statement
I'm unclear on who should be signing the confidentiality statement. Should this be our employees, or our external clients and suppliers?
-
ISO 27001:2013 to ISO 27001:2022 Conversion Tool
The tool shows ISO27001:2013 A.18.2.3 splitting between ISO27001:2022 A5.36 A8.8 when you convert it but the tool shows it subsuming into A8.8 when you convert 2013:A.12.6.1 (doesn't mention the split). Can you clarify? Thank you
-
Who should write mandatory documents in organization?
I hope you are well. I recently had a colleague ask me a question on who should write the mandatory documents in an organisation. Is it the training consultant or the employees(process owners)? Kindly point me in the right direction.
-
Retention for SIEM
I am wondering what are the log retention times for SIEM requirements for ISO 27001 implementations in various countries. Thank you for all you have done for us.
-
Data leakage prevention
I was wondering that there is no template for 8.12 Data leakage prevention in the toolkit.
Could you please provide any help on that topic in the context of a small company, not having to many options to introduce a fancy tool-set to cover this new 2022 aspect.
-
Question about gap analysis
What documentation is needed for a gap analysis between 27001:2013 and 27001:2022? I'm also interested to know if there is a template available for this.
-
Surveillance audit
I do have a query regarding the ISO 27001:2022 standard.
In 2021, we successfully conducted an ISO Audit based on the ISO 27001:2013 standards. As the date for our surveillance audit approaches, we are seeking clarification regarding the standards to be followed. Our Surveillance audit is due on 10 August 2023.
Considering the recent updates to ISO standards according to ISO 27001:2022, we would like to confirm whether we can continue with the surveillance audit according to the ISO 27001:2013 standards or if is it necessary for us to update our processes to comply with the ISO 27001:2022 standards.
Thank you for your attention to our inquiry. Looking forward to your reply.
-
Handling accidents
Please advise me, which part speak about how to handle when accident happened, accident management, how to lead workers, outsource company, fireman’s etc?
-
Questions about implementation
I have some questions if that's okay! See below:
What documents should we be including under the ISMS? Should the scope mainly include policies and procedures or should we be including all client/supplier contracts, day to day project documents eg. cost estimates / statement of works etc.
Double check internal annual audit - does this need to happen every year? if so, when does this happen e.g., every year from certification? (in our case, we're looking to be certified Sept 2023, so Sept 2024 would be the next internal audit). Is there any leniency on it being 12 months versus 18 months for example?
Remote working policy - this is more general advice, but do we need to add how we manage people working abroad, as they need to be able to work from wherever they can on business which can sometimes mean in a coffee shop or workspace, which we advise against when working in London for security reasons. What do others usually suggest here?
Again, this is more seeking advice, but should client infrastructure be covered under our ISMS scope? We currently are excluding them as we feel we would be covered under their own security policies but just wanted to double check that's accurate/ what the standard is?
Thanks very much!