Hi, I am working through the video lectures again in preparation for the ISO27001 lead auditor exam,
This question Module 8 - Understanding auditing standards
What is certification?
Please watch this video and after completion proceed to quiz below.
To complete this unit, please click “Next unit”.
The question is A business can become accredited to ISO 9001 if it is required by their suppliers.
And the answer is False – correct. A business can become certified to ISO 9001, but their certification body must be accredited.
This answer does not seem to match well with the question.
*In the Procedure for Document and Record Control under #5- Managing records kept on the basis of this document: in the table under "Record Name", what goes there? We will be storing any external records pertaining to our ISMS in a folder on Confluence. What about the "Storage Location" - does that need to be a link or just "Confluence Folder" noted?
Conformio risk register
I have a few questions regarding Conformio (trial).
1. First, a question about risk management methodology (the process) could you elaborate the logic behind that, is it different than in your toolkits (RA and RT) tables?
Because, I haven’t used the vulnerability - threat approach, I am confused that you must choose applicable control to vulnerability and then again to threat? Or, are these applicable controls, controls which are already implemented safeguards in our environment? and we have to consider them when we do risk evaluation (the next step, these controls are already included in the risk level)?
2. Can you adjust controls also (make your own), or are there ISO A-attachments related controls only?
3. I can’t seem to adjust residual risk manually (after I have added controls appropriate to treat the risk), why is that?
1. ISO 27001:2022
How will the new ISO 27001:2022 affect Conformio and created policy documents? Is it wise to already aim for certification against the new standard? Does it make sense to already start implementing the new version and not the old one?
2. ISO 27001 marketing
In a video accessible from Conformio, there's a statement that the time for the project manager is 0,5 day/week. That seems like too little to me if it also assumes doing consulting and guiding the organization through the certification process, such as reading, preparing, reviewing and approving documents, or performing the risk assessment and drafting implementation plans for controls. Also such statements undermine the work of project managers and consultants. What is the use of being a Lead Implementer or of all the information on your website if e.g. a secretary could run the project?
Creating right road map to reach goals in optimal way
Actually, I have a project about ISO 27001 deployment in the company where I work.
I have a lot of questions and information to know. How can I create the right road map to reach the goals in an optimal way.
ISO 27001/Conformio questions
1. The Risk Register flow seems to be inverted. Can you explain why vulnerability comes before the threat? We were under the impression that we would first need to evaluate the threats related to assets, and then the vulnerabilities.
2. Regarding the inventory of assets - in Conformio we have a list of general assets, like computers, but we would like to have a separate document with a list of all the assets within our company, such as which types of computers we use. Is this needed for the successful implementation?
ISO 27001 Scope
1. Do we have the ISO 9001 certification where its scope is "Customer Service and Telemarketing", is it possible to indicate the same scope on the SGSI?
2. If the YES is the answer on the scope of the ISMS, should it be included in the point 3.1 of the document on the scope of the ISMS?
The inside of the point 3.1 must detail all the processes that interact within the "Service of Customer Service and Telemarketing”
ISO 27001 Internal Audit practice and tips
Can you share some good practices when auditing ISO 27001 ISMS and Annex controls? Thanks
What to do with legacy documents & materials
1 - I am looking at our options in regards to planning a roll out of an information classification and retention policies and tools to withing our organization to help users identify, classify, and protect sensitive data and assets for ISO 27001.
Currently we have been filing all our information haphazardly in Dropbox. No standards. No management of the Dropbox folders ... so it's a mess. With 27001 we plan to setup a new structure in Dropbox and migrate/convert the Company documents/assets into the ring-fenced folders, and then freeze the existing Dropbox folders, with a long term objective of sun-setting the content.
Is there a tried and tested method for this task. We have limited resources so it will take time to do.
2 - My other question is, will the auditors want to look at the legacy materials. Our aim is to put an ISO stake in the ground and have all relevant / supporting PowerX docs filed in the new folder structure. For ISO 27001 we will use Dropbox as the DMS, but will most likely migrate to alternative Apps/Software, such as Conformio in 2023.
Risk Assessments in Conformio
1. Can assets be put in a hierarchy, so that filing cabinets can be seen as part of an office building, or firewall as part of a server? I think this would have benefits for overview and determining potentially assets affected by incidents related to other assets below or above in the hierarchy. I'm not sure whether this makes sense from a Risk Management perspective.
2. I see the same vulnerabilities for different assets, like inadequate change control for laws, regulations, etc but also for policies, procedures and work instructions. Is there a way to optimize this and to reduce the number of vulnerabilities?