ISO 27001 & 22301 - Expert Advice Community

ISO templates - HR Policy

Can you please help me to find my HR Policy and Awareness? I couldn't locate it in the templates.

ISO 27001 Risk Assessment

When initially identifying risks in a Risk Assessment, is the assessment done based on existing and implemented controls or is it as if no controls are currently implemented? For example:  If the Threat is fire in an office building, would the Vulnerability be “no fire protection” even if the building already has fire extinguishers and a sprinkler system? Or, should fire not be listed in the Risk Assessment since it’s no longer identified as being a Threat?  Thank you.

Reconciling Incident SLA vs RTO

Risk Management Alignment Among ISO31000, ISO27001, ISO22301 & ISO9001

Thanks for your attention to my lengthy query.

Our organization has been practicing the below Risk Management:
1) Enterprise Risk Management -ERM (ISO31000) for the entire organisation
2) ISO22301 BCM Risk Assessment for entire organisation
3) ISO27001 Risk Assessment for the ICT Service Delivery department only)
4) ISO9001 Risk Management for a Call Centre

These Risk Management practices with different aspects have caused confusion in the organization;staff is asking why so many risk assessments? and also caused overhead in handling these practices.

I observe that the below:
1) Lot of overlapping risk assessment as some risks that are taken care at the ERM level are to be reassessed again at the other ISO aspects.

2) Different perspective of each Risk Assessment;e.g. ISO27001 at CIA with focus on critical assets, ISO22301 on Critical Business function or processes from continuity aspect, ISO9001 at the Service Quality aspect whereas ERM at the political, financial, competition, environmental, etc aspects

3) Scope of each Risk Assessment is varied from an enterprise-level to a specific core function level

We recognise this strength but also a weakness and plan to initialize a Risk Management alignment exercise.

Appreciate if you could share good advice in the alignment or normalisation of risk management approach with the below goals:
1. Improve the effectiveness of entire risk management with a holistic view
2) Improve the efficiency of entire risk management
3) Still maintaining the goal of each risk assessment / management

Hope to hear from you soon.

HIPAA vs. ISO 27001 - What are the differences?

I see what appears to be a merge between hashtag#SOC2 and hashtag#iso27001 audit controls and offered as the "SOC2 plus ISO" audit.  The challenge I see with most mappings for the audit is the omission of Clause 4-10.

Dejan Košutić do you see a "HIPAA plus ISO" being born and if so, how does Clause 4-10 apply?

How to fill out BYOD policy?

How to fill up the documents templates for BYOD policy and for training and awareness.

Policies presentation

I just released cyber security policies in my company, My question what kind of presentation i should give it to all employs to illustrate these policies and make them understand what is written.

ISMS audit fidings

Sorry, i'm reaching you for a Quick answer since i'm not updated with the current classification of findings for ISMS. Still current opportunity for improvement, observation, minor and Major NC?, or just NC & OBSERVATIONS?.

I have Been looking for a response but not sure, several opinions and i'm confident that you could help me.

Polices version 27001

is it a nonconformity if the polices version numbers not equivalent according to iso 27001?

ISO 27001 controls

ello, could you explain why in this article https://advisera.com/27001academy/iso-27001-controls/

you have mentioned only controls from A5? What are the A1 - A4 controls about? I cannot find the information on this.