ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit AS9100 Product: EU GDPR Documentation Toolkit
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Documents development

    All the documents have some "Reference documents". Is it preferred to have all the reference documents written before approving the document referring to them?

    For example, if we have document 1, which has references to 2, 3, and 4, do we approve all of them simultaneously, or can we approve 1 even if we haven't written 2, 3, or 4?

    I'd say we can approve them separately because the references would cover the entire project in the end, and then we would have to have all of the documents ready before approving any.
    But what do you think is the preferred way?

  • Question about ISMS

    We have bought the toolkit (German version) and I have one question: 

    Which parts and elements are needed within the documentation and description of interfaces and dependencies from “outside” services in connection with the scope of the ISMS. We have identified several interfaces to parties which are not directly included in the scope of the ISMS. For example:

    • Suppliers
    • HR
    • External software developing companies
    • Legal department
    • Data from external component manufactures needed for our product in the scope

    So what is needed to describe these interfaces?

  • ISO 27001 Implementation

    Greetings. I am an entrepreneur trading as business consulting and innovative solutions provider entity. Having in mind expansion to the business incubator accelerator in another 16 months. How realistic is ISO 27001 implementation in my case on this stage- as I am not a company but sole trader? Thank you.

  • Statement of Applicability Validation

    If an organisation is making use of ISO 27001 as a guideline, but they are not certified as 27001. Is it mandatory for the organisation to have a SoA in place?

  • Risk Assessment Table

    Hello, In 10.1 Appendix 1 the risk assessment table, do we need to enter each individual laptop/desktop computer with the various risks and vulnerabilities? Or is it acceptable to have an entry for laptops that goes through all the various risks and vulnerabilities that all laptops our company owns faces?

  • IT Security Policy

    I have been tasked to produce an IT Security Policy as our current one is outdated. I am currently considering approaching such policy in two folds : Information Security and Information Technology Security.

    Since they’re both intertwined because of the CIA of information and related security controls (information, assets, physical security, networks, collaboration tools, online sharing, cyber space, etc.), is it worth to separate them or one encompassing both is sufficient and valuable from an audit standpoint?

    The policy is driven by *** which includes 8 pillar requirements as far as security controls go.

    So, I just need few tips and guidance to build an up-to-date policy reflective of new policy requirements based on new operational trends driven by new technologies and services (PaaS, SaaS, CaaS, to name a few). Also, such policy must be simple enough to optimize comprehension and adherence from Senior Management. Our organization is not looking to implement a framework on its own.

  • Controls a.15.10.2 and a.13.2.4

    We get a Business email service from third part such as *** for our company. we don't have any NDA with *** and get it by Definition SLA in their site. also we start to design Information Security Management System. is it has conflict with A.13.2.4 and A.15.1.2?

  • Lead Auditor Certification

    Hi. I want to pass and have ISO27001 Lead Auditor certification. I have experience, I am planning to pass Your course and pass the exam. I have already 1 certification body. In which time frame is possible to "have experience in at least 3 complete ISMS audits

  • 22301 implementation with scope of IT department only

    Dejan, I have a client who would like to implement ISO 22301:2019 and certify but only within the IT department initially (they might want to extend the scope in the future). My question is: would they be able to do this if they only consider the products and services offered by the IT department to its internal customers within the rest of the company OR do they have to consider the products and services of that the company delivers to its external customers.

    My question is about a process for conducting a BIA

  • Internal Audit Report - numbering non-conformities

    One first question. Wouldn’t it make sense to number the non-conformities in the Internal Audit Report so we can track it?
Page 111 of 544 pages