ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit AS9100 Product: EU GDPR Documentation Toolkit
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Annex SL 27001 or annex A 27001

    For network security, it is better to apply annex SL 27001 or annex A 27001

  • ISO27001& ISO22301, GDPR and PCI-DSS

    1 - Is it possible to have all in one? It is for my client who want to implement them since he has client who request to implement them all.

    2 - How much will cost for implementation with documents

    3 - is it possible to do it via Zoom or Webex for implementation?

  • Defining the Scope

    I would like to start off with a scope that includes the information stored in our datacenters.
     
    But, when I look at the ISO 27001 standard, it states quite clearly that;

    When determining the scope, the organization shall consider;
    a)      the external and internal issues referred to 4.1 (Understanding the organization and its context)
    b)      the requirements referred to in 4.2 (Understanding the needs and expectations of interested parties)
    c)       interfaces and dependencies between activities performed by the organization and those that are performed by other organizations.

    I refer in particular to point c).  We use 3rd party suppliers, some of whom process our client data (which is stored in our datacenter), and I was wondering that if I only include the information that is stored in our datacenter in the scope, and if I don’t include 3rd parties in the scope, will the ISMS fail the audit. Or is it simply enough to say that we have controls and polices in place around the data that is stored in our data center and these controls pertain to 3rd parties and who process some of that data that resides in our datacenter.

  • Confidentiality, Integrity, and Availability

    When developing Risk Assessment, the CIA must consider. If we use asset-based, CIA refers to the asset, right? But if we use risk or process based, the CIA will refer to what?

  • Risk Assessment Table

    I would like to find out from you how to treat the quality of work that an organization produces during its operations. Should this be considered when preparing the Risk Assessment?

    For example, 

    Appendix 1 - Risk Assessment Table 
    https://i.imgur.com/g1qgUdT.png

  • Statement of Applicability

    I hope you don’t mind me contacting you. I bought two of your books through my work.

    I have a question about the Statement of Applicability and I was hoping to get your opinion.

    1 - My understanding of the SOA is that it lists the 114 controls of Annex A. An organization should select the controls that are ‘applicable’ to safeguard the assets that are in the scope of the organization's ISMS. Is this correct?

    There is something I do not understand. The above makes sense if the SOA only applies to 1 asset (for example, a single business system). In this example, 112 out of 114 controls might be applicable. But what happens when you add more and more assets? The 2 controls that are not applicable for the first asset might be applicable for the other assets – eventually, you just end up saying that all 114 controls are applicable and therefore the SOA does not really have much value at this point?

    2 - My other question is around risk assessments. If all 114 controls are applicable for a system, does that mean our risk assessment has to cover all 114 controls? Or would a better way be to do a ‘compliance assessment’ to verify which of the 114 controls are applicable and which of those controls are implemented and working effectively and then document the risks based on the control gaps?

  • Assessment/Treatment Methodology

    I would now have the question on the Risk Assessment / Treatment Methodology: what exactly must be included in the" list of legal, regulatory and contractual or other requirements "or what is the recommendation?

  • ISO 22301 Accreditation

    Considering I have extensive experience in DR/BC and meet the professional and project experience, can I take the PECB Certified ISO 22301 Lead Implementer exam after self-study (or third party training), without prior PECB only class.

  • Difference between the three terms

    At work we understand that the Information Security scope includes all sources media, paper, verbal, and digital media, and Information Security establishes controls.

    IT security is the installation of anti-viruses, updates and their administration. IT security is perform by IT specialists of IT team

    Who are Cyber security? in the book you say it synonymous with IS,

    IS = CyberSec or CyberSec = ITsec?
Page 151 of 544 pages