ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Changing career to Lead Auditing from LIMS company

    Hi. Been working as a part time Consultant for *** for close to 6 years now.
    However, a friend told me about Lead Auditor late last year and really got me interested. 
    I do not have experience in Information System Security or a lot of Information security given that *** is a LIMS company.

    Please advise how I can change my career to Lead Auditing from Laboratory Information Management Systems configurations.

  • ISO 27001 corporate vs business functions

    I wonder whether you could advise me, We are planning to have a ISO27001 assessment but assessment team is planning to audit the Business function assets as well. However as far as I know ISO27001 is dealing with Corporate functions only (workplace, HR, IT, Procurement...). Could you let me know whether my understanding is correct? Is there any article already written on this please?

  • How to prepare an audit?

    How would you approach preparing for an audit taking place in 8 weeks, what would you prioritise, how would you ensure non-conformities are minimised

  • ISO 27001 Lead Auditor certification paths

    Could you please help me to understand the difference between the ISO 27001 LA certificates according to the different paths you describe?

    I think I don't understand the principal differences of:
    1) ISO 27001 Lead Auditor certificate I obtain if I pass the appropriate exam provided by you and certified by Exemplar Global
    2) Any other ISO 27001 Lead Auditor certificate (e.g. issued by PECB) that is provided only after going through all the steps described here:
    I'm concerned because I need the certificate to be able to conduct internal audits for the clients, but for now, I have only 1 year of professional experience (in ISMS) and PECB, for instance, provide Lead Auditor certificated only if you have at least 5 years of experience (including 2 years in ISMS).

    I would greatly appreciate your support.

  • ISO 27001 audit and implementation

    New to the ISO 27001 space, on my first day with my first client, what discussions do I need to engage in, what do I need to do, what to ask, who to engage etc. to commence 1) an ISO 27001 audit 2) ISO27001 Implementation?

  • Information Classification Policy - “labeling” of information

    I am going through the documentation and have a question regarding the Information Classification Policy.

    More precisely regarding “labeling” of information. I would like to stick as close as possible to the default document.

    However, as a B2B communication agency almost all information we manage (and that is a lot) can be classified as “Internal use”.

    Is it ok to specify that all “(unlabeled)” or “INTERNAL” labeled information is to be considered “internal use”?

    So that we can avoid needing to label just about everything with the same label.

    Could can an alternative be to use “(unlabled)” for “internal use” and “public” for “public” assets?

  • Asset inventory and risk analysis

    Which and too and approach can I use to make my asset inventory and risk analysis in order to see which control I need to put in place?

  • Nonconformities, OFI's vs Low/Med/High Audit Gaps

    "I got ISO 27001 certified last year and extensively used your site for references and the courses and found the materia to be very valuable and easy to understand. I have successfully completed a number of ISO 27001 audits in an internal auditor role and still use your docs for reference.

    I am also CISA certified and the majority of my audits are IT General control audits where we rate gaps based on assessing impact and likelihood with ratings of low, medium and high.

    I was looking to find information on how major/minor nonconformities and OFI's would compare to the 'traditional' audit gap ratings of low, medium, high. Would you be able to provide some guidance?

  • Questions regarding EU GDPR & ISO 27001 Integrated Documentation Toolkit

    1. Regarding EU GDPR & ISO 27001 Integrated Documentation Toolkit:
    Does it cover also ISO 27701:2019?

    2. Does it cover also GDPR cases where EU customer personal data is processed outside of EU in a country like ***? (like using standard data protection clauses adopted by the EU Commission, etc?)

    3. Does there exist an employee contract template which takes into account GDPR?

    4. Does there exist a B2B contract template which takes into account GDPR when processing EU customer personal data in a country like ***?

    5. Does there exist a B2B contract template which takes into account GDPR when EU customer personal data is processed outside of EU in a country like ***??

  • ISO / IEC 38500 question

    Do you have any thoughts on the ISO/IEC 38500?

    Would we want to add this after our ISO/IEC 27001 that we are working on?

    Also, in regards to the ISO 22301, does this compliment the GDPR that we are working on?

Page 12 of 437 pages