ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit AS9100 Product: EU GDPR Documentation Toolkit
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Assets Inventory and Risk Assessment

    We are now making Assets Inventory and Risk Assessment.

    We’ve listed now about 100 Assets, 33 of them are cloud services.

    I have a couple of questions:

    1. Some of the cloud services we are using are already ISO 27001 certified (like AWS, e.g., or some service hosted in AWS). Does that have any meaning for us?

    2. Do we still have to consider Risks for that cloud services as well?

    3. Could we group the Assets so that they become more manageable? E.g. one group: Cloud services, and perform the Risk Assessment for this group, or divide it to SaaS and IaaS groups.

    4. Who should be the Asset Owner of Operating System – the user? And the Risk Owner is the System Administrator?

  • What should I request from the client to do a DR Plan?

    Just a quick one, what should I request from the client to do a DR Plan?

    I can only think of the the following ;
    NDA
    Network Diagram
    Configurations
    Processes
    policies(Backup, regulatory)
    BCP
    I am currently working with a bank who wants a DR Plan

  • ISO 27000 Lead Auditor

    I had some questions regarding securing the certification:

    1.Is it necessary or recommended to have a foundation certification to be secured prior to the lead auditor certification?

    2. I am a Quality Manager with relevant 8 years of experience and I intend to switch to core GRC roles. Will this certification benefit to clear CISA as my future certification aspirations?

    3. Any other tips if you think might help me scale up would be appreciated.

  • Risk Assessment

    Looking for your expert opinion.
    Background:My ISMS scope consist of 3 scopes :1) Data Center 2) Portal Maintenance & 3) A critical business process e.g: driving license application
    Question: Can I use asset based risk assessment or should I use process based risk assessment? Appreciate your expert view.

  • Implementation of ISMS

    I am very much familiar with ISO 27001 and other frameworks like NIST etc. I was conducting always security assessments only. This is the first time i am into ISO 27001 implementation project. my question is

    1 - How and where to start in project for ISMS implementation.

    2 - Do you have any knowledge base which talks about step by step ISO 27001 implementation state. This project involves many stakeholders like application security , database track etc. So how to manager those team, as i am alone from GRC team. I have to ensure entire service tracks are aligned with ISO 27001 requirements. So please provide your valuable inputs.

  • Risk Management and "Asset value" & Asset Criticality

    In your booklet "Step-by-step explanation of ISO 27001/ISO 27005 risk management", you use a risk calculation where "asset value" is part of the formula. My questions are: 1) Does ISO 27001/27005 requires the Risk Management process to use asset value as part of calculating the risk assessment level. 2) Does the standard require asset valuation as part of the Risk Management process? Or can be seen as an input, rather than a direct output of the process. That is to say, asset value is important to me as Risk Manager, but I need that input from the organization. It is not my responsibility to produce it as part of the RM process 3) What is the relationship between asset value and criticality assessment (like FIPS 199/200)? Again, I see asset criticality assessment as an input to RM, alas, not something that I am responsible for as part of the RM process. 4) Finally, have you written a solid book (like the one on 22301) that explain in details how 27005 should be applied section for section?

  • Inquiry about Gap Analysis

    I have been following your studies and materials about ISO27001 implementation on your website. You stated on your website at https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/ that Gap analysis is done only for Annex “A” controls and that, one DOES NOT need to perform gap analysis for clauses of the main part of the standard. I believe you are referring to the mandatory management clauses from clause 4 to 10. ( Please find attached screenshot)
    https://i.imgur.com/WD5Wr5D.png

    Now, my confusion is coming from the ISO 27001 Gap Analysis tool you provided on your website at https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/?icn=free-gap-analysis-tool-27001&ici=bottom-iso-27001-gap-analysis-tool-txt. In this Gap Analysis tool, you included the mandatory management clauses (i.e. clause 4 to 10) as part of the Gap Analysis checklist when you stated previously that Gap analysis is not performed for the mandatory management clauses.

    Can you please explain why?

  • Underscores in a file name

    One point that wasn’t answered is regarding underscores in a file name.

    In terms of best practice and your opinion, given that all the document templates in your toolkit have underscores is this something you recommend? What is the reason for having underscores in the file name?
Page 145 of 544 pages