ISO 27001 & 22301 - Expert Advice Community

A.9.2.5 Review of user access rights

Hello Advisera Team, 

a question to this control: A.9.2.5 Review of user access rights.

What we need and what we have now there is that user access rights are reviewed when there is a change in employees status (e.g. department or position is changed).

Is it enough or is periodical review meint here?

Thank you!

Assets ISO 27001

Hello Dejan,

In the Appendix 1 in the toolkit I bought you are proposing some assets, I need to ask the whole company (management and so on) to give me a list of all the assets and mark whoever the ones that are more critical for our organization. But on what level should we specify the assets?

For example, the ones you specified: 

People

• Management
• Employers
• Part time external employers
• External parties that visiting the organization

Applications and databases

• Applications (licenses)

And so on.

If we take some few real examples from our organization, should we specify detailed such as:

*** (helpdesk software, critical for giving good support to our clients)

*** (billing system for our cloud business)

Or should this be classified as a broader category such as your examples? 

Thank you

Audit

Agradeceré puedan resolver mi siguiente consulta.

Desde hace algunos meses compré el Paquete Premium de ustedes y he venido haciendo la preparación para que una empresa pueda certificarse en ISO 27001.

Mi pregunta es: Hasta qué punto debo llegar para que la empresa Certificadora haga su auditoría ? Deben considerar que he cumplido todos los pasos exigibles y obligatorios por ISO 27001, habiendo llegado hasta al “Plan de concienciación y capacitación”. Solamente me está faltando los puntos de “Auditoría Interna”, “Revisión por la dirección” y “Acciones correctivas”…. Mi pregunta es, si estos 3 últimos pasos debo realizarlos obligatoriamente antes de pasar la Auditoría de Certificación.

Debo resaltar que, en mi calidad de Consultor de la implementación de ISO 27001, no podría hacer una Auditoría Interna, debido a que no debo ser “juez y parte”.

Que es lo que debo hacer o que me recomiendan ?

Business continuity management

I want to ask if BCM applicable to be implemented in Pharmaceutical company for the aspect of continuity of products manufacturing

ISO 27017 training presentation

I’m interested in training presentation for ISO 27017. I’ve looked in the ISO 27017/27017/27001 that received and there is no presentation for training.
Do you have something to offer me?

Can ISO 27001:2013 be certified against multiple legal entities?

Importance of the security issues

To permeate in the organization the importance of the security issues, which is the best way, you recommend, to train/instruct/evangelize the subject?

Business Continuity Management System Software Checklist

Do you have any Checklist/Criteria for selecting the right software tool for operating Business Continuity Management System that meets ISO 22301:2019 std. requirements

Question about auditors

1. Does the external auditor need to sit privately with the internal auditor and see his IA plan and its IA report and verify all his findings?

2. Does the external auditor have a commitment and or obligation to verify his findings and corrective actions taken? Or simply look into his plans and its final report.

3. It’s well known that IA is not fully impartial and his IA report might not be a bit biased and or impacted by his senior management if he/she is not independently reporting to the highest authority?

4. Can the Internal audit out of transparency disclose any Nonconformities to the external auditor and or any thing that the external auditor himself can not find during his short visit?

Thanks in anticipation and appreciate your support.

How far is the ISO 27001/GDPR package away from being ISO 27701 compliant?

Just out of curiosity, how far is the ISO27001/GDPR package away from being ISO-27701 compliant?