ISO 27001 & 22301 - Expert Advice Community

Risk Management Alignment Among ISO31000, ISO27001, ISO22301 & ISO9001

Thanks for your attention to my lengthy query.

Our organization has been practicing the below Risk Management:
1) Enterprise Risk Management -ERM (ISO31000) for the entire organisation
2) ISO22301 BCM Risk Assessment for entire organisation
3) ISO27001 Risk Assessment for the ICT Service Delivery department only)
4) ISO9001 Risk Management for a Call Centre

These Risk Management practices with different aspects have caused confusion in the organization;staff is asking why so many risk assessments? and also caused overhead in handling these practices.

I observe that the below:
1) Lot of overlapping risk assessment as some risks that are taken care at the ERM level are to be reassessed again at the other ISO aspects.

2) Different perspective of each Risk Assessment;e.g. ISO27001 at CIA with focus on critical assets, ISO22301 on Critical Business function or processes from continuity aspect, ISO9001 at the Service Quality aspect whereas ERM at the political, financial, competition, environmental, etc aspects

3) Scope of each Risk Assessment is varied from an enterprise-level to a specific core function level

We recognise this strength but also a weakness and plan to initialize a Risk Management alignment exercise.

Appreciate if you could share good advice in the alignment or normalisation of risk management approach with the below goals:
1. Improve the effectiveness of entire risk management with a holistic view
2) Improve the efficiency of entire risk management
3) Still maintaining the goal of each risk assessment / management

Hope to hear from you soon.

HIPAA vs. ISO 27001 - What are the differences?

I see what appears to be a merge between hashtag#SOC2 and hashtag#iso27001 audit controls and offered as the "SOC2 plus ISO" audit.  The challenge I see with most mappings for the audit is the omission of Clause 4-10.

Dejan Košutić do you see a "HIPAA plus ISO" being born and if so, how does Clause 4-10 apply?

How to fill out BYOD policy?

How to fill up the documents templates for BYOD policy and for training and awareness.

Policies presentation

I just released cyber security policies in my company, My question what kind of presentation i should give it to all employs to illustrate these policies and make them understand what is written.

ISMS audit fidings

Sorry, i'm reaching you for a Quick answer since i'm not updated with the current classification of findings for ISMS. Still current opportunity for improvement, observation, minor and Major NC?, or just NC & OBSERVATIONS?.

I have Been looking for a response but not sure, several opinions and i'm confident that you could help me.

Polices version 27001

is it a nonconformity if the polices version numbers not equivalent according to iso 27001?

ISO 27001 controls

ello, could you explain why in this article https://advisera.com/27001academy/iso-27001-controls/

you have mentioned only controls from A5? What are the A1 - A4 controls about? I cannot find the information on this.

ISO 27001 certification benefits

As a managed service provider with ISO27001 accreditation, how does this help a customer who has a requirement that their provider is accredited with ISO27001?

7 Controls in the A.6

Just to ask what are the 7 controls in the A.6

Measures Appendix A

1 - we are in possession of your toolkit for ISO 27001 and are in point 6 (declaration of applicability). The 114 specified measures are to be checked for applicability. For us, however, the question arises as to whether all measures really have to be applied, since theoretically quite a few of them could be used or whether only suitable measures have to be defined for the risks that we have assessed with risk levels 3 and 4 (unacceptable risks).

2 - In addition, we would like to know whether there are any legal regulations in Germany to which we must pay special attention in the course of the introduction of Iso 27001.