ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 9001:2015 ISO27001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk Treatment

    I am very new in this field (IT Security ISO 27001) and my biggest issue is to understand how can I improve my knowledge and use for the praxis because I have good knowledge about ISO27001 but I don't have any idea how can in use that in praxis.

    For example when I have scope and SoA documents how can I implement to the praxis with help from ISO 27001 and create a risk analysis, Risk treatment, and so on.

    It would be very grating if you have some advice for me.

  • ISO 27001 scope

    1. We use a third party to provide infrastructure for our product (Installation sits on an AWS Server). On the Scope document, what would we put under “Location” for these servers that are provided by a third party?

    2. What would we count as our assets regarding these servers that are provided by a third party? These servers are accessed by our staff to do our work using any laptop that is available to us, provided that the IP is cleared by our CTO to access the servers

    3. Do we need to reference anything from the Third Party provider? Where will it be referenced in the ISMS?

    4. Can you give examples on how regulations, like GDPR, translate into a policy or procedure – like a specific rule in the Information Security Policy Document. I just want to see an example of the wording pattern in a policy where a regulation is referenced.

    5. Let’s say the scope of ISMS for now applies to the Services that we provide that are hosted in a third party provided server. What would be examples to exclude?

  • Gap analysis

    Does you toolkit have provision for gap analysis?

  • Assessing the infosec requirements for new ict systems

    Kindly explain the meaning of Assessing the infosec requirements for new ict systems

  • Implementing information security continuity

    I have two questions. First, about SoA and selection of control A.17.1.2 Implementing information security continuity. 1. In ‘06 Statement of Applicability’ > ‘Implementation method’ is [Business Continuity Plan] while In the ‘List of Documents ISO 27001 ISO 22301’ there is marked that ’Appendix 6 – Disaster Recovery Plan’ is mandatory document for A.17.1.2. I may have understood this wrong, but I am confused what one should choose to document if A.17.1.2 is seemed applicable? 2. Second, if one should seem that Disaster recovery should be in place in the Company but A.17 Information security aspects of business continuity management are not applicable, should one use only ’Appendix 6 – Disaster Recovery Plan’ to document recovery?

  • Executives involved in ISO 27001

    1. How and which Executives need to get involved in ISO 27001.

    2. Which documents need to be overseen by them specifically?

  • ISO 22301 certification

     I have two questions and I hope you can help finding the answers.

    1. When looking for certification in *** I realize that there are not really a lot of people with experience in 22301. I talked to *** and they all struggle to find a proper contact to talk to. On the ISO Website, I saw the 2018 survey than resulted in a total of 1128 certifications worldwide and only 7 in ***. Do these numbers seem correct to you? Do you know German companies with a 22301 certification?

    2. We realized that a cyber attack is a very likely threat. As Financial Services we rely heavily on our IT department (who is in the process of getting certified by 27001). How can we handle that in the scope of the BC Plan? Is it OK to delegate the responsibility to IT or do we have to come up with our own detailed plans? We need to come up with ideas and plans on what to do when such an incident occurs and how we e.g. bridge the first hours and days, but it is difficult to take ownership for fixing the IT part. How can that be handled?

  • ISO 27001 implementation

    Hi I'm trying to get a start on implementing iso27001 for my approx 250 person company.

    1. In addition to the kit I bought from you I purchased the standard from iso... I now realize I should have also bought 27002 so I can get more details on the controls. Is there a package you recommend that has everything I need in it? I'd prefer to get that instead of having to keep asking my cfo for permission for each thing.

    2. Also, I've done the foundations course but I am still feeling a little overwhelmed with where to start... I think risk assessment methodology is the place, but not sure.

    3. I've started going through the docs and updating them with our company info etc and the roles I expect for certain things but not sure if that is the right thing to start with. Thanks in advance for any direction

  • The best combination to use for IT Audit

    what is the best combination to use for IT Audit from COBIT, ISO and ITIL

  • ISO 27001 compliance testing

    Hi. I wanted to get a high-level view of the types of testing i should do for ISO27001 compliance for a new website being built, and the ball-park cost estimates of the price I should be paying an external organization to do that testing?
Page 165 of 544 pages