ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 9001:2015 ISO27001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Impact details for each ISO 27001 control

    I want impact details for each iso 27001 control
    I need impact details for all iso 27001 114 controls if not implemented

  • No data security clause in existing employee and commercial contracts - should we send an addendum to all contracts?

    I have assumed that it is recommended to have a clause referencing data security in employee and commercial contracts with suppliers and clients.

    We therefore have an action to create a new standard contract for employees, suppliers and clients to include the new data security requirement.

    However, my question is, what is the recommended approach for existing employees, suppliers and clients who’s contracts do not include the necessary data security clause. Should we be sending an addendum to the contracts? Is it recommended that we do this as part of our ‘treatment’ action on the data security risk that employees, suppliers and clients alike pose to our business.

  • Identifying the changes in ISO 27001 scope

    My organization is certified for ISO 27001:2013.
    We are planning to shift some of the on-prim applications to cloud (public cloud with virtual private cloud).
    I request your help in identifying the changes in ISO 27001 scope.
    What clauses and controls, I need to check at "on-prim" as well as "cloud"?

  • Assets Inventory and Risk Assessment

    We are now making Assets Inventory and Risk Assessment.

    We’ve listed now about 100 Assets, 33 of them are cloud services.

    I have a couple of questions:

    1. Some of the cloud services we are using are already ISO 27001 certified (like AWS, e.g., or some service hosted in AWS). Does that have any meaning for us?

    2. Do we still have to consider Risks for that cloud services as well?

    3. Could we group the Assets so that they become more manageable? E.g. one group: Cloud services, and perform the Risk Assessment for this group, or divide it to SaaS and IaaS groups.

    4. Who should be the Asset Owner of Operating System – the user? And the Risk Owner is the System Administrator?

  • What should I request from the client to do a DR Plan?

    Just a quick one, what should I request from the client to do a DR Plan?

    I can only think of the the following ;
    NDA
    Network Diagram
    Configurations
    Processes
    policies(Backup, regulatory)
    BCP
    I am currently working with a bank who wants a DR Plan

  • ISO 27000 Lead Auditor

    I had some questions regarding securing the certification:

    1.Is it necessary or recommended to have a foundation certification to be secured prior to the lead auditor certification?

    2. I am a Quality Manager with relevant 8 years of experience and I intend to switch to core GRC roles. Will this certification benefit to clear CISA as my future certification aspirations?

    3. Any other tips if you think might help me scale up would be appreciated.
Page 144 of 544 pages