ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 ISO 9001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 14001 Product: ISO 27001 Internal Auditor Course
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Statement of Applicability Validation

    If an organisation is making use of ISO 27001 as a guideline, but they are not certified as 27001. Is it mandatory for the organisation to have a SoA in place?

  • Risk Assessment Table

    Hello, In 10.1 Appendix 1 the risk assessment table, do we need to enter each individual laptop/desktop computer with the various risks and vulnerabilities? Or is it acceptable to have an entry for laptops that goes through all the various risks and vulnerabilities that all laptops our company owns faces?

  • IT Security Policy

    I have been tasked to produce an IT Security Policy as our current one is outdated. I am currently considering approaching such policy in two folds : Information Security and Information Technology Security.

    Since they’re both intertwined because of the CIA of information and related security controls (information, assets, physical security, networks, collaboration tools, online sharing, cyber space, etc.), is it worth to separate them or one encompassing both is sufficient and valuable from an audit standpoint?

    The policy is driven by *** which includes 8 pillar requirements as far as security controls go.

    So, I just need few tips and guidance to build an up-to-date policy reflective of new policy requirements based on new operational trends driven by new technologies and services (PaaS, SaaS, CaaS, to name a few). Also, such policy must be simple enough to optimize comprehension and adherence from Senior Management. Our organization is not looking to implement a framework on its own.

  • Controls a.15.10.2 and a.13.2.4

    We get a Business email service from third part such as *** for our company. we don't have any NDA with *** and get it by Definition SLA in their site. also we start to design Information Security Management System. is it has conflict with A.13.2.4 and A.15.1.2?

  • Lead Auditor Certification

    Hi. I want to pass and have ISO27001 Lead Auditor certification. I have experience, I am planning to pass Your course and pass the exam. I have already 1 certification body. In which time frame is possible to "have experience in at least 3 complete ISMS audits

  • 22301 implementation with scope of IT department only

    Dejan, I have a client who would like to implement ISO 22301:2019 and certify but only within the IT department initially (they might want to extend the scope in the future). My question is: would they be able to do this if they only consider the products and services offered by the IT department to its internal customers within the rest of the company OR do they have to consider the products and services of that the company delivers to its external customers.

    My question is about a process for conducting a BIA

  • Internal Audit Report - numbering non-conformities

    One first question. Wouldn’t it make sense to number the non-conformities in the Internal Audit Report so we can track it?

  • Alternative site for operational continuity

    1. I would like to know what are the elements that should be considered when designing the layout of the alternative operational continuity site.

    2. What type of office equipment should be installed at an alternative site for operational continuity?

    3. What do the good practices say regarding the layout design of the alternative site and equipment to be assembled?

  • Risk assessment

    Thank you for your recent reply – this was very helpful.

    I’m back with another question:

    As I understand it, the risk assessment is used to identify which assets/threads calls for the implementation of controls due to a high risk score. This is helpful in order to know which controls you’ll have to implement. My questions goes as this:

    “Can” I document and implement, lets say i.e. an “Acceptable use of assets” policy (Annex A control A.8.1.3) even though nothing in my risk analysis points to the need of this? Or should all controls/policies be implemented based on what is found to have a risk score on 3+ in my risk analysis?

    I hope this makes sense. If not, please feel free to ask clarifying questions.

  • BCP Plans and procedures

    Hello,

    I have completed the phases below:
    - BIA
    - RA
    - CONTINUITY STRATEGY

    I'm now doing the phase (BC Plans and procedures);
    - Crisis and communication management - DONE
    - BC plans and procedures - on going for a document model conception

    I need help to write the model, that I can use for all structures of our organization.

    Thank you so much for your help
Page 111 of 544 pages