Guest
1. We are a rather small start-up company with about 50 employees, manufacturing a product with both hardware and software.
We do not have a CISO or an IT manager, just myself as the ICT lead to do all IT and Security related tasks.
What should we put in the documentation instead of CISO?
Or should we write somewhere that wherever it says CISO that would be the ICT lead acting as the CISO?
Or alternatively should we only include job titles that we actually have in the company?
I am not sure how to present this in the documentation and audit.
2. One of our team members looking at the risk part of our ISO 27001 plan suggested we combine 06.1_Appendix_1_Risk_Assessment & 06.2_Appendix_2_Risk_Treatment because:
1) they include a lot of the same columns.
2) you can use filter instead of copy pasting those risks that need treatment. Copy pasting between tables is error prone.
Does the standard require these tables to be seperate?
Can you explain why these are separate in the toolkit?
Any other comments will be very welcome.
Dear Team - this is quite urgent - we have got a non-conformity because the auditor didn't accept the risk register as produced by Conformio - we are not sure how to mitigate this, any guidance would be hugely appreciated. Here is the non-conformity. (27001) Finding: The organisation did not fully meet the requirements for clause 6.1.2 c)1) - apply the information security risk assessment process to identify risks associated with the loss of confidentiality, integrity and availability for information within the scope of the information security management system. Evidence: missing from Risk register within Conformio platform.
Additional information: The auditor requests that we add a column showing the impact on each of the CIA - Confidentiality, Integrity, and Availability components, (e.g. Letters to show letters representing the affected components of CIA).
The policy templates we received as part of our toolkit refer to ISO27001. Should this be changed to ISO27002?
I want to ask about establishing risk acceptance criteria in clause 6 - 6.1.2 and if there is any sample can i view in order to complete creating my system, which is related to a cloud-based software solutions company
So I have a request – would you have a privacy policy template from iso27002 I believe a6.1.2 I can purchase?
We recently upgraded with you the ISO27001 workbook templates and I’m going through a client audit and they are asking for a specific privacy policy and so far what I have provided from either the older 2013 ISO27001 and the GDPR is not passing with them
Underneath the register of requirements where I am asked if I am compliant with the Computer Misuse Act am I expected to have a policy or do I read and agree to the terms?
Is there a reason to keep the 09.04 BYOD policy separate to the 09.01 IT Security Policy?
Or can we just include it there (in 09.01) like for example we do with 09.02 Clear Desk policy?
My doubt is related on controls to be implemented regarding software development, i.e, controls 8.25, 8.26, 8.27, 8.28 and 8.29.
I understand that if there is any type of internal software development the controls must be applied.
However, if a company has installed any software/platform that is open source, it means that its allowed or can be made changes. Even, and for instance, for solutions that IT systems administrators use to manage IT infrastructure.
In this case, any of the mentioned controls must be applied ? meaning that they cannot be excluded.
Does all of the RTP need to be completed before certification audit?
Hi Our parent company has ISO 27001. We have a new venture that is devolving from the parent and will become a separate legal entity. We want the new venture to be ISO 27001 certified, however it operates very differently from the parent company. My question is can a single legal entity have 2 ISO 27001 certifications i.e one for the parent excluding the new venture and a separate one for the new venture (which over time will become a separate legal entity)?