Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 Lead Auditor certification paths
Could you please help me to understand the difference between the ISO 27001 LA certificates according to the different paths you describe? I think I don't understand the principal differences of: 1) ISO 27001 Lead Auditor certificate I obtain if I pass the appropriate exam provided by you and certified by Exemplar Global 2) Any other ISO 27001 Lead Auditor certificate (e.g. issued by PECB) that is provided only after going through all the steps described here: https://advisera.com/27001academy/knowledgebase/how-to-become-iso-27001-lead-auditor/ I'm concerned because I need the certificate to be able to conduct internal audits for the clients, but for now, I have only 1 year of professional experience (in ISMS) and PECB, for instance, provide Lead Auditor certificated only if you have at least 5 years of experience (including 2 years in ISMS). I would greatly appreciate your support. -
ISO 27001 audit and implementation
New to the ISO 27001 space, on my first day with my first client, what discussions do I need to engage in, what do I need to do, what to ask, who to engage etc. to commence 1) an ISO 27001 audit 2) ISO27001 Implementation?
-
Information Classification Policy - “labeling” of information
I am going through the documentation and have a question regarding the Information Classification Policy.
More precisely regarding “labeling” of information. I would like to stick as close as possible to the default document.
However, as a B2B communication agency almost all information we manage (and that is a lot) can be classified as “Internal use”.
Is it ok to specify that all “(unlabeled)” or “INTERNAL” labeled information is to be considered “internal use”?
So that we can avoid needing to label just about everything with the same label.
Could can an alternative be to use “(unlabled)” for “internal use” and “public” for “public” assets?
-
Asset inventory and risk analysis
Which and too and approach can I use to make my asset inventory and risk analysis in order to see which control I need to put in place?
-
Nonconformities, OFI's vs Low/Med/High Audit Gaps
"I got ISO 27001 certified last year and extensively used your site for references and the courses and found the materia to be very valuable and easy to understand. I have successfully completed a number of ISO 27001 audits in an internal auditor role and still use your docs for reference. I am also CISA certified and the majority of my audits are IT General control audits where we rate gaps based on assessing impact and likelihood with ratings of low, medium and high. I was looking to find information on how major/minor nonconformities and OFI's would compare to the 'traditional' audit gap ratings of low, medium, high. Would you be able to provide some guidance? -
Questions regarding EU GDPR & ISO 27001 Integrated Documentation Toolkit
1. Regarding EU GDPR & ISO 27001 Integrated Documentation Toolkit:
Does it cover also ISO 27701:2019?2. Does it cover also GDPR cases where EU customer personal data is processed outside of EU in a country like ***? (like using standard data protection clauses adopted by the EU Commission, etc?)
3. Does there exist an employee contract template which takes into account GDPR?
4. Does there exist a B2B contract template which takes into account GDPR when processing EU customer personal data in a country like ***?
5. Does there exist a B2B contract template which takes into account GDPR when EU customer personal data is processed outside of EU in a country like ***??
-
ISO / IEC 38500 question
Do you have any thoughts on the ISO/IEC 38500?
Would we want to add this after our ISO/IEC 27001 that we are working on?
Also, in regards to the ISO 22301, does this compliment the GDPR that we are working on?
-
A.9.2.5 Review of user access rights
Hello Advisera Team,
a question to this control: A.9.2.5 Review of user access rights.
What we need and what we have now there is that user access rights are reviewed when there is a change in employees status (e.g. department or position is changed).
Is it enough or is periodical review meint here?
Thank you!
-
Assets ISO 27001
Hello Dejan,
In the Appendix 1 in the toolkit I bought you are proposing some assets, I need to ask the whole company (management and so on) to give me a list of all the assets and mark whoever the ones that are more critical for our organization. But on what level should we specify the assets?
For example, the ones you specified:
People
- Management
- Employers
- Part time external employers
- External parties that visiting the organization
Applications and databases
- Applications (licenses)
And so on.
If we take some few real examples from our organization, should we specify detailed such as:
*** (helpdesk software, critical for giving good support to our clients)
*** (billing system for our cloud business)
Or should this be classified as a broader category such as your examples?
Thank you
-
Audit
Agradeceré puedan resolver mi siguiente consulta.
Desde hace algunos meses compré el Paquete Premium de ustedes y he venido haciendo la preparación para que una empresa pueda certificarse en ISO 27001.Mi pregunta es: Hasta qué punto debo llegar para que la empresa Certificadora haga su auditoría ? Deben considerar que he cumplido todos los pasos exigibles y obligatorios por ISO 27001, habiendo llegado hasta al “Plan de concienciación y capacitación”. Solamente me está faltando los puntos de “Auditoría Interna”, “Revisión por la dirección” y “Acciones correctivas”…. Mi pregunta es, si estos 3 últimos pasos debo realizarlos obligatoriamente antes de pasar la Auditoría de Certificación.
Debo resaltar que, en mi calidad de Consultor de la implementación de ISO 27001, no podría hacer una Auditoría Interna, debido a que no debo ser “juez y parte”.
Que es lo que debo hacer o que me recomiendan ?