Get a 20% discount on the first year of the Company Training Academy annual plan.
Limited-time offer – ends April 24, 2025
Use promo code:
CTA20

ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 9001:2015 ISO27001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • The scope of ISO 27001 training

    Does the ISO 27001 training offered cover only small and medium businesses? I mean the scope of training because when I started the training of internal audit for the same standard the lecturer said it is suitable only for small/medium businesses… so the training is not suitable for corporations?

  • Changing SOA in praparation of audit

    we are currently preparing for our control audit. 

    However, due to personnel changes I am contemplating to change certain aspects of the SOA to reduce unnecessary overhead. 

    What effect will the removal of controls e.g. A.14 have for the audit and our certification scope?

    Can Changes to the SOA only be made prior to certification audits?

  • Changing SOA in preparation of audit

    We are currently preparing for our control audit. 

    However, due to personnel changes I am contemplating to change certain aspects of the SOA to reduce unnecessary overhead. 

    What effect will the removal of controls e.g. A.14 have for the audit and our certification scope?

    Can Changes to the SOA only be made prior to certification audits?

  • Systems vs Suppliers

    I am curious to get some input in regards to how you manage Suppliers of critical systems. At the moment I am struggling with deciding wheater we should consider all providers of citical systems also as a critical supplier and handle them in our supplier handling process. All critical systems are handled, risk assessed etc. according to our Asset management process. But I now ask myself if it is neccessary to also have all of them inserted as critical supplier and go through all the administrative work related to that. 

    example: we use Hubspot and this has been evaluated as a critical system. It is included in our system asset register, has gone though a comprehensive system review and we have the relevant contracts/agreements in the contract database. Would you also add Hubspot in the supplier register as a critical supplier? Which means that we will also evaluate the supplier on a regular basis etc. 

    Another aspect to this is that for systems that we  "purchase" via a supplier.. then we don't have the actual provider of the system registered as a supplier but the partner that the system provider is using. 

    I would love to hear your thughts on this. 

     

  • Secure development policy

    A.14_Politica_de_desarrollo_seguro_27001_ES",  necesitamos saber para punto "3.3  Principios de  ingeniería segura", ¿si estos principios debe ir detallados en esta política?, y si ésto es así, ¿que principios se deben incluir? o proporcionar alguna documentación o ejemplo para complementar este punto.

  • Register of Requirements Blank

    I should have clarified on the initial request but for the register of requirements, if we don’t have any legal, regulatory, or contractual security obligations do we also list internal security policy requirements, or is this section left blank? While we do have MSAs, we don’t have a specific security control agreement with clients currently.

  • Risk assessment and treatment

    We want to be compliant with the Baseline Information Security for Dutch governments, abbreviated as the BIO. For more info https://bio-overheid.nl/   This baseline is a selected subset of ISO27002 controls. Controls selected based on information security risks for Dutch governments. We already created information security policies, procedures and implemented most of the organizational and technical controls.

    My questions:

    1. would it be acceptable for the ISO27001 certification to do a risk assessment and treatment with a GAP analyses of the technical and organizational controls described in our information security policies? A risk would come from not having implemented a technical or organizational control. The treatment would be: implement the technical or organizational control.

    2. if so – do we have to implement all technical and organizational controls before we start the certification process? Or I it sufficient that we proof we are in control of the risks by following the ISO27001 ISMS norm?

  • Document Recovery Plan

    I am using the Document Wizard to write the Disaster Recovery Plan. Section 11 requires me to specify the archives of the person in which the records of recovery steps implementation (in paper form) are store In my company, we keep all documents and records in electronic form in Sharepoint. The IT Dept documents their technical work procedures using One Note or MS Word. DRP test reports are prepared in MS Word and filed in pdf form

    https://i.imgur.com/rlvKyFv.png

  • Re-certifying

    My company is due to re-certify on ISO27001 at the end of the year. If we re-certify on the 2013 ISO 27001, would we have to keep this for the whole 3 years, or are we able to re-certify for the 2022 version next year?

    Any help would be appreciated.

  • Antivirus and MacBook Pro

    We are hoping to have antivirus software installed on every Macbook and iOS device to have the Jamf or Miradore platform because our company exclusively works with IOS applications. The problem is that we are unsure if that complies with ISO 27001, so I needed your help in this situation. 

    Jamf is primarily focused on managing and securing Apple devices such as Macs, iPhones, and iPads. It provides a range of tools for device management, including inventory management, software distribution, patch management, and security controls. Jamf can help organizations implement some of the controls required for ISO 27001 compliance, such as ensuring that devices are properly configured and that security updates are applied in a timely manner. However, it does not provide comprehensive support for all aspects of ISO 27001 compliance. 

    Miradore, on the other hand, is a more general endpoint management platform that can be used to manage a wide range of devices, including those running Windows, macOS, and Linux. It provides a range of tools for device management, including inventory management, software distribution, patch management, and security controls. Miradore can help organizations implement some of the controls required for ISO 27001 compliance, such as ensuring that devices are properly configured and that security updates are applied in a timely manner. However, like Jamf, it does not provide comprehensive support for all aspects of ISO 27001 compliance. 

    In summary, while both Jamf and Miradore can be useful tools for managing and securing endpoints, they are not designed specifically for ISO 27001 compliance.

    So could you please help us with this?
Page 15 of 544 pages