Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

ISO 27001 & 22301 - Expert Advice Community

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • ISO 27001 documents

    hese controls are listed in ISO27002. How do you decide whether they are mandatory or not?  Because different companies will require different controls.  For example, software developers will definitely require A12.6 – Technical Vulnerability Assessment.

     
    The following are not in the toolkit.  Please furnish:
    A7.3
    A9.3
    A9.4
    A12.4
    A12.5
    A12.6
    A12.7
    A13.2
    A14.2
    A14.3
    A17.2
    A.18.1 Compliance with legal and contractual requirement

    A18.2

  • Scope

    I'm in the process of defining the scope definition according to ISO 27001 for a company whose core business process is based on the analysis of data. The IT infrastructure is entirely based on the cloud (PaaS) and the company has dedicated physical location. This is a small size organization (20+ people) and work remotely by connecting to the cloud. the cloud is not public and it is for our holding company. also holding provide human resource for our company.

    therefor:
    Organizational scope: Developer, Operation, supporting team
    information and technologies scope: only technical services that used in cloud and did not refer to OS, VM, physical sever ,...
    Physical Scope: Only scope of related to our company

    that's right?

  • ISMS implementation

    Hi, we are a software development company that is on its way to plan for isms implementation. I have a couple of specific questions about the definition of the scope of the ISMS.

    We would like the scope of the ISMS to be the whole organization. We are not going to leave any parts, units, services that are internal outside of the scope. I have noticed that there is some granularity to the specific items of the scope. In the course videos you provide it wasn't this way.

    1. Processes and services. Should I write about each service and each process specifically as part of the whole business model. Example : Managed Service Provider Service and all its processes Software Development Service and all its processes Software Support Service and all its processes Cloud Infrastructure Consulting Service and all its processes OR May I just put something more general that points to the idea that all the organizational business and processes are in the scope. A broader definition might be open to interpretation, but we really want the whole organization to be covered by the security benefits of having an ISMS in place. Example : Every service and process that is a part of the organization and its business is included in the scope.

    2. Organizational units May I just get away with putting down that the whole organization and all organizational units are included in the scope. Do I need to define organizational units if I am not going to leave any of them out of the scope ? Would an auditor be OK with that definition and would he/she understand that the whole organization is covered by the ISMS ? The problem is that the organization is fairly fluid and ever-moving and changing in regards to units and departments. This doesn't mean that people that are responsible for certain things are not appointed. Everything is logged, double checked and audited, but it would be a bit difficult to channelize every organizational aspect into a department or a unit.

    3. Network and IT infrastructure This one seems really tricky for me. A lot of our IT infrastructure is ever-changing so to speak of - networks, devices, services are constantly added, removed, migrated, changed. If I need to list every piece of IT infrastructure and network that would be an Inventory of Assets of its own. So the question is - when I've actually done the work to mark every piece of data in the Inventory of Assets do I need to relist everything under the "Networks and IT infrastructure" as well ? May I just put in something showing the general concept of ISMS coverage ( i.e everything ). Would a definition like "All networks and IT infrastructure that are located in the ( and here I would just specify the location )" is a part of the scope. Our IT infrastructure is only in one physical location and also the cloud. We are using the IaaS model and sometimes PaaS as a model. In this regard I would list those in the supplier policies and not in the scope.

  • Level of implementation in a country’s companies

    I would like to ask you what is the level of implementation of ISO 27001 and ISO 22301 in *** companies. To have a notion of the incursion of quality in my country.

  • Nivel de implementación en las empresas de un país

    Quisiera hacerle la consulta de cual es el nivel de implementación de la ISO 27001 e ISO 22301 en empresas ***. Para tener una noción de la incursión de la calidad en mi pais.

  • Recurring task in Conformio

    It does seem strange though…..The task is to publish procedures for the description, but it has to be done every 10 x days.

    I would have though once published, then at least annually would be ok…

    Appreciate your feedback.

  • Question about Scope of Work

    We have started engaging with a company to help us to get ISO 27001 certificate and I am the project manager or the contact person and I am confused about the SOW, they want to do for all the *** and I believe that we have to start with the IT department. What do you think?

  • Recovery site

    Due to Covid 19 protocols we have to adhere to social distancing requirements. So part of our team is working at the recovery site full time and it means that we do not have a recovery space in the event that the team working from the office can experience a disaster. The arrangement to work from home is not possible due to the nature of the job.

    So in this case do we still consider our recovery site as a recovery site as now it has been turned into a daily office until we are over with covid.

    1 - Do we need another recovery site?

    2 - If we do, how do I convince management?

  • Stage 2 Audit and ISMS completion status and Assets listing

    1. I have a situation where the Assets listing is very light on i.e., mainly just a listing. The Risk Assessment and Risk Treatment Register also doesn’t go into Inherent Risk, Controls and Residual Risk. It goes straight into a single risk (residual) rating. Am I correct to be a concerned with the absence of an Inherent risk perspective.

    2. My question relates to preparing for a Stage 2 audit, in relation to how complete the ISMS needs to be. I have been told that if there are many gaps and low level of completion of ISMS, then the Stage 2 auditor will look for work plans that indicate awareness of this, AND review the results of past Internal Audits and Non-Compliances i.e., if there are many non-conformances and controls gaps found, then this is “good news” as it supports the status of non-completion. My thought is that the Stage 2 Auditor would expect to see the ISMS mostly completed e.g., at least 90%, accepting that there will always be maintenance and improvement.

  • Filling documents

    Hello Dejan,

    As *** internal contact for ISO 27001, a query arose while filling out your documents.

    I have tried to include information from the VDA ISA 5.0 questionnaire in your documents. In doing so, I often read about requirements that have to be determined.

    Are the following requirements in your document

    "02.1_Anhang_1_Liste_gesetzlicher_amtlicher_vertraglicher_rerichtungen_Premium_DE.docx" (02.1_Appendix_1_List_of_Legal_Regulatory_Contractual_and_Other_Requirements)

    determined and then referenced in the respective documents to be created later and implemented in a suitable manner or where exactly are these requirements written down?

    1 - Requirements for the procurement, commissioning and approval for the use of non-organizational IT services are determined

    2 - Requirements and procedures for the use of confidentiality agreements when passing on sensitive information

    3 - The procedures for user authentication are defined and implemented on the basis of business and security requirements.

    4 - The requirements for development and test environments have been determined

    5 - Measures to meet the requirements with regard to intellectual property rights and the use of software products protected by copyright (procurement and license management) are defined and implemented.

    6 - Requirements from business relationships (e.g. reporting obligations to the client) are determined and implemented.

    7 - Requirements for key sovereignty have been determined and met.

    8 - Security-relevant requirements for information security with regard to the handling of event logs, such as B. Requirements from contracts are determined and implemented.

    9 - Extended requirements for the control and administration of networks have been identified and implemented

Page 11 of 466 pages