ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit AS9100 Product: EU GDPR Documentation Toolkit
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Disaster recovery ISO 27031

    We are starting out to begin our ISO process and we have chosen to begin with disaster recovery ISO27031 - what information/guidance can you share or recommend at this stage of our process.

  • List of most common business-critical information assets

    I am particularly trying to get some help with a list of most common business-critical information assets. Not the hardware and software assets.

  • Information security career

    Thank you for your lectures on ISO 27001,

    Sir I am a certified LA in ISO 9001 2015 and certified ISO 14001 and 45001 Auditor, B.sc, MBA

    in short, I don't have any experience in ISMS, but I want to pursue my career in ISMS, is it the right thing to do knowing that I don't have any IT background, and if yes how should I start ...

    what other skills should I learn to make a good international career out of ISMS...

  • How to calculate RTO and RPO

    How to calculate RTO and RPO?

  • Questions about ISO 27001 implementation

    We have purchased the ISO27k toolkit last year (I believe the toolkit with extended support) and started the implementation.

    At this point, we are finalizing the risk assessment and starting the SoA. I now have a few questions. Please direct me to the right person if you are not the appropriate recipient.

    My questions so far:

    1 - It’s not yet clear to me what we must do exactly if a risk from the treatment table is not acceptable and requires some implementations.

    What is the accepted time frame for risks mitigation?
    For an unacceptable risk which requires new controls for treatment, what if we plan the implementation – say – 1 or 2 years later?
    Is it allowed by the standard and/or auditor?
    Will it be visible in SoA’s residual risks?
    In other words, does it have to be addressed before the next assessment, or the next audit, or freely?

    2 - If the risks must be absolutely mitigated “quickly” when not accepted, then we may need to relax the acceptance criteria to encompass them. Can we say:

    Based on a yearly budget, state that i.e. high risks can be accepted only if there is no room left for the implementations in the running assessment… (or financial year… somehow)
    The risk mitigation may therefore be postponed to the next assessment (hopefully not indefinitely..) or “whenever possible”
    Would that kind of acceptance criteria fit with the standards and pose no issue with auditors?
    I suppose that such accepted risks will again appear in the SoA (but it makes sense)

    3 - Concerning the risk assessment:

    Will our estimations of impact or likelihood be strongly challenged by the auditor? (sometimes there is room for debate..)
    Do we have to prepare evidence for each asset assessment or risk, to assist in the verification?
    Clearly, doing so, in advance, and for many risks/assets is not feasible for us
    I guess the focus will be on the SoA instead and how the controls are implemented? (or to explain why they are not)

  • ISO 27000 and ISO 31000

    Which standard of ISO 27000 group or ISO 31000 determine owner of information assets as owner of the information risk? And the informational risk as a operational risk.

  • ISO 27001 certification for a group of companies

    Hello, we would like to certify our company ISO 27001. Since our organization is made up of a mother (holding company) and several subsidiaries, our question is whether certification is possible for all companies at once and what is the procedure. As soon as this question has been clarified, we will tackle the preparation with the help of your template. Thanks for your help in advance.

  • CISO

    ¿La norma exige que se tenga dentro de la empresa un CISO (Responsable de Seguridad de la Información)?
    ¿Puedo tercerizar un CISO?
    Sobre el plan de capacitación, ¿siempre es necesario presentar algún certificado para evidenciar un curso de capacitación?
    ¿Cómo evidenciar los cursos gratuitos donde no se tiene un certificado?
    ¿Los objetivos de Seguridad de información se pueden cambiar en cambiar en cualquier momento o se debe esperar un periodo de medición?
    ¿Si se cambia un objetivo de seguridad, un auditor me puede pedir la medición del antiguo objetivo?

  • 27001/2:2013 framework for Information Assets of OT/ICS

    I am working with leading oil and gas Company ***. I saw you several webinars on online video portals. I appreciate your clear understanding about the ISMS through ISO 27001/2: 2013 framework.

     I want to know your opinion whether the 27001/2: 2013 framework is applicable for Information Assets of OT/ICS (Operation Technology/Industrial Control Systems) such as SCADA, DCS etc..

    Your reply in this regard may be valuable to us for protection of our Information Assets of OT/ICS.

  • AWS

    I have two separate cloud instances in AWS. One is shared among customers and one is dedicated to individual customers. I don't have all security controls enabled on the shared instance yet. When I go in for ISO Certification, can I exclude the shared instance from my scope and certify the dedicated environment only.
Page 118 of 544 pages