ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 9001:2015 ISO27001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Supplier Security Program (Annex A 15 Supplier Relationships)

    I am a little unclear on what the scope of the supplier management program should include. I am well informed of the risk based approach for vetting and ongoing oversight and management, but I am wondering if the control only extends to suppliers where agreements are maintained or if it extends to any and all vendors that provide products and services to my organization (e.g., Adobe, Open Source Tools, etc.). For instance, we use software where we simply accept the terms of use like Adobe or video editing software. Obviously, we would not treat all vendors the same in terms of vetting and ongoing reviews, but we are not clear on whether we still need to include every single third party on our vendor spreadsheet with their classification, or if the list should only include those that we have classified as high risk or critical.

  • Non - conformance

    I want to ask Staff members were observed to be using their own phones in the processing area even though the company policy clearly prohibits the use of phones. Is it a major non-conformance or a minor one? I cannot understand the difference between them completely.

  • ISO/IEC ISMS 27001 Annex A

    In relation to ISO/IEC ISMS 27001 Annex A objectives and controls about leadership and as one example; Appropriate contacts with relevant authorities shall be maintained in the business; Our business has an organization chart, but the chart shows reporting lines by job functions. If you could please share a template examples for a business organization chart that demonstrates top-down organization structure incorporating: Company Management, Corporate GRC [Governance, Risk, and Compliance], IT GRC, IT Management and Business. Our organization is in the certification process. We need the business organization chart to support Information Security, ISO/IEC ISMS 27001 Certification.

  • Query on Annex A Controls - IS027001

    The company I work for is working towards attaining ISO27001 certification this year and I am part of the project team embarking on this.
    I am working through Risk Management at the moment, having completed Risk Identification & Assessment, I am looking at treatment now.
    I am specifically looking at the Application & Databases Information Assets. I note the risk of Inadequate Maintenance, however, I cannot find a control specific to Software/Application Maintenance.
    My thought train is towards version releases, upgrades, database maintenance plans, data checks, etc. The nearest controls I have noted are
    A.11.2.4 Equipment Maintenance
    A.12.5.1 Installation of Software on Operational Systems
    A.14.1.1 Information Security requirements analysis and specification, A.13.1.2 Security of Network Services
    Is there a specific one for Software Maintenance?
    Appreciate some direction

  • Performing Security Risk Analysis

    I just have a question on performing Security Risk Analysis. Is doing a security audit and VAPT is another way of security risk analysis?
Page 168 of 544 pages