ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 9001:2015 ISO27001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Policy author

    I am implementing ISO 27001:2013 standard for a client in ***.

    My client has outsourced the ISO 27001:2013 policy development to an external consultant, and since the documentation is procured, all policy document has the external consultant name as the "Author".  The policies are reviewed and approved by the client's CISO and Management representative.

    Does this comply with
    7.5.2 Creating and updating
    When creating and updating documented information the organization shall ensure appropriate:
    a) identification and description (e.g. a title, date, author, or reference number);

    The external auditor has raised an objection for having an external consultant as the author of the policy.

    Appreciate your inputs on the same.

  • ISMS controls refer to Finance

    Would you be able to advise what controls refer to Finance as in a finance dept?

  • Risk assessment review

    Please, could you answer my questions? I have sent them to the chat but you didn't answer them during the webinar.

    When we implemented ISO 27001 2 years ago (small company, 10 people), our first risk assessment table has had many unacceptable risks so we created various treatments (controls, safeguards, documents polices...) to regulate these risks. Taking treatment controls into account, the new assessment showed just 1 risk that remains as residual risks, other risks have lower (acceptable) value.

    Now, we have modified our methodology and revised our risks in new table (new version of document). I have 2 questions:

    1. When we revise a risk management table on annual basis (new document), I'm not sure if we assess risks (consequence and likelihood) with all implemented controls/safeguards on our mind or without them? If we take already implemented controls into account when assessing risks, almost all risks are acceptable (few residual remains), there is no need for additional treatment at this moment.

    2. Hypothetical: if all risks are acceptable according to our methodology, is it ok not to have a Risk treatment plan?

  • Risk Assessment Methodology

    Thanks for the webinar, it went as expected but rather quick.

    The question I asked which you didn't understand is about ¨ISO 27001 risk assessment methodology¨. It talks about defining rules on how you are going to perform the risk management because you want the whole organization to do it the same way. It further states that the ¨biggest problem with risk assessment happens if different parts of the organization preform it in a different way¨.

    Now my question is, does an organization have 2 or more ways of risk assessment methodology when they are supposed to work under one ISMS in the organization? Or why would an organization choose/have more than one way of risk assessment methodology?

    I hope that my question is clear.

  • Risk Treatment Implementation and Risk Treatment Plan

    We are working on the ISO 27001 documents we purchased from Advisera.

    1. We are discussing the implementation steps and we are a bit confused about the Risk Treatment Implementation and the Risk Treatment Plan. Please what’s the difference between the two. When are the risks actually treated?

    2. Also, what’s the difference between the risk treatment methodology and the risk treatment plan.

  • Can Risk Assessment be automated?

    Can Risk Assessment be automated?

  • Distance between server sites

    I am looking for either regulation or recommendation for the distance between the primary and disaster recovery location of the server sites. Is there any?

  • Global background checks

    Hello, do you have guidelines for Global background checks? based on country, region and local laws How they impact in complying with the certification

  • Query on documents for ISO 27001 & ISO 9001

    Hi I have recently taken on a new role as MS coordinator in Logistics Software company which has an IMS 9001 and 27001.  Do the required document lists for the individual systems still apply for an integrated system or can some documents be combined? Many Thanks your site has been really useful and has helped me clarify several queries.

  • Is AWS 27001 sufficient to show security?

    I run a video consultation company (***), which works via desktop and mobile apps with data being stored in the cloud (AWS which has 27001), is AWS 27001 sufficient to show security or do I need to do additional things? and if so What. We are a small start-up so funding is very limited or zero!
Page 164 of 544 pages