SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Use promo code:
SPRING30

ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4148
Discussions
Expert

Carlos Pereira da Cruz

1916
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 ISO 9001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Certification ISO 14001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Can a single legal entity have multiple ISO 27001 certifications?

    Hi Our parent company has ISO 27001. We have a new venture that is devolving from the parent and will become a separate legal entity. We want the new venture to be ISO 27001 certified, however it operates very differently from the parent company. My question is can a single legal entity have 2 ISO 27001 certifications i.e one for the parent excluding the new venture and a separate one for the new venture (which over time will become a separate legal entity)?

  • Team in charge of implementation and maintenance of the ISMS

    We have a question regarding the team that needs to implement and maintain the ISMS as defined in section 4.4 of "05_Information_Security_Policy_27001_EN".

    We also want this team members to be able to approve requests like for example in "09.01_IT_Security_Policy_27001_EN" for installing software, running java, to name just a few.

    We don't want only one person to approve this, whether it is the IT manager or the CTO.

    We are a 50-user *** company.

    It does not make sense to me that the executive team be the one in charge of the above since our case it is a small team of mostly non-technical users.

    We thought of creating a 3-person team (maybe call it "IT Team" or another name if you have a better idea) that includes the CTO, IT Manager and the Head of Engineering. This team already meet weekly to discuss these matters, so I thought of officially putting it in our ISMS documentation. 

    Do you think that is a good idea?

    Is it in-line with the standard?

    If so, is it best described in "05_Information_Security_Policy_27001_EN"?

  • Certification

    Dear Dejan,

    I am following you and Advisera for a couple of months and I really like the content you provide.
    I am now in the process of preparing my first customer for ISO 27k certification, but the legal side of things with the certification is not quite clear to me.

    Would please be so kind, and give me your professional opinion on this? Would also Conformio help me with the process in this case?

    Let me give you a brief overview of the situation and you will know what I mean right away:

    There is company A (consists of 15 people), based in EU, which develops software, provides support, makes proprietary hardware for the software they make etc.
    Then there is company B (consists of 2 people), based outside EU, which owns the copyrights to this software, tells company A what to do, what to develop, and also is written on every contract when they sell this software.
    Customer wants this software to be ISO 27k certified. Company B has no other legal connection with Company A, they are not like parent/daughter companies.

    My question is, which company is going to be certified? Do they need to be both certified, separately?

  • Mandatory documents

    Why are you treating 2013 edition when 2022 becomes effective September?

  • ISO 22301 IT

    I'm working in the IT department and I have my friend working in the cyber security department, and we are now in the preparation processes to obtain ISO 22301 CERTIFICATE before this objective my friend in cybersecurity prepare all documents as part of ISO 27001 Preparation but it covers only cybersecurity department, I need your advice is that okay or it should cover all IT activities due to he tells me the main reason to disruptive the services in IT is the cybersecurity?

    please advise who is right we have prepared a BCM plan, Risk management, BIA, BC community, and response structural DR but it focuses on cybersecurity.

  • Risk Register & BYOD

    Our company develops software for the school management. We have a private office in a co-working space. We have employees but we are also working with freelancers. They are working from home all around the world. I have some questions about the assets for the risk register. My first question is about infrastructure assets: do we have to include the private office of Singapore co-working space? What about air conditioning, power supply...? Also same question about the co-working space in London. By extension, we have a BYOD policy. Do we need to include personal laptops and smartphones in the assets? We are using a virtual server from a third-parties provider (2 in Europe, and 1 in Singapore). Should we include these virtual servers in the assets? We have a website. Is it an asset? I saw in the list of assets: proprietary data. Could you give me an example of what it could be for us?

  • The scope of ISO 27001 training

    Does the ISO 27001 training offered cover only small and medium businesses? I mean the scope of training because when I started the training of internal audit for the same standard the lecturer said it is suitable only for small/medium businesses… so the training is not suitable for corporations?

  • Changing SOA in praparation of audit

    we are currently preparing for our control audit. 

    However, due to personnel changes I am contemplating to change certain aspects of the SOA to reduce unnecessary overhead. 

    What effect will the removal of controls e.g. A.14 have for the audit and our certification scope?

    Can Changes to the SOA only be made prior to certification audits?

  • Changing SOA in preparation of audit

    We are currently preparing for our control audit. 

    However, due to personnel changes I am contemplating to change certain aspects of the SOA to reduce unnecessary overhead. 

    What effect will the removal of controls e.g. A.14 have for the audit and our certification scope?

    Can Changes to the SOA only be made prior to certification audits?

  • Systems vs Suppliers

    I am curious to get some input in regards to how you manage Suppliers of critical systems. At the moment I am struggling with deciding wheater we should consider all providers of citical systems also as a critical supplier and handle them in our supplier handling process. All critical systems are handled, risk assessed etc. according to our Asset management process. But I now ask myself if it is neccessary to also have all of them inserted as critical supplier and go through all the administrative work related to that. 

    example: we use Hubspot and this has been evaluated as a critical system. It is included in our system asset register, has gone though a comprehensive system review and we have the relevant contracts/agreements in the contract database. Would you also add Hubspot in the supplier register as a critical supplier? Which means that we will also evaluate the supplier on a regular basis etc. 

    Another aspect to this is that for systems that we  "purchase" via a supplier.. then we don't have the actual provider of the system registered as a supplier but the partner that the system provider is using. 

    I would love to hear your thughts on this. 

     
Page 13 of 542 pages