ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit AS9100 Product: EU GDPR Documentation Toolkit
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO/IEC ISMS 27001 Annex A

    In relation to ISO/IEC ISMS 27001 Annex A objectives and controls about leadership and as one example; Appropriate contacts with relevant authorities shall be maintained in the business; Our business has an organization chart, but the chart shows reporting lines by job functions. If you could please share a template examples for a business organization chart that demonstrates top-down organization structure incorporating: Company Management, Corporate GRC [Governance, Risk, and Compliance], IT GRC, IT Management and Business. Our organization is in the certification process. We need the business organization chart to support Information Security, ISO/IEC ISMS 27001 Certification.

  • Query on Annex A Controls - IS027001

    The company I work for is working towards attaining ISO27001 certification this year and I am part of the project team embarking on this.
    I am working through Risk Management at the moment, having completed Risk Identification & Assessment, I am looking at treatment now.
    I am specifically looking at the Application & Databases Information Assets. I note the risk of Inadequate Maintenance, however, I cannot find a control specific to Software/Application Maintenance.
    My thought train is towards version releases, upgrades, database maintenance plans, data checks, etc. The nearest controls I have noted are
    A.11.2.4 Equipment Maintenance
    A.12.5.1 Installation of Software on Operational Systems
    A.14.1.1 Information Security requirements analysis and specification, A.13.1.2 Security of Network Services
    Is there a specific one for Software Maintenance?
    Appreciate some direction

  • Performing Security Risk Analysis

    I just have a question on performing Security Risk Analysis. Is doing a security audit and VAPT is another way of security risk analysis?

  • ISMS scope - Not interested in ISO27001 accreditation

    This is the first phase of ISO27001 for us. We dont plan on seeking certification but interested to align our environment to ISO27001.

    Is it complusary to done a scope? Can we just go about implementing ISO27001 for our whole environment. We are a small orgnisation but getting bigger. 

    The idea is to initially implement ISO27001 framework orgnisation wide so when we expend we have good practices in place that will allow us to build on (expand on)

    Do you see any risk/concerns with this approch? Is there a better way to go about? What are your recommendation?

  • SoA’s justification for the selection of control

    I have two questions, first about SoA’s justification for the selection of control and second about secure areas:

    1. If there is no risks from the risk treatment (thus nor risk treatment number for the control), should one use risks from the risk assessment (select risk numbers which have already treated by a control) for the justification for selection?

    2. I have a hard time to figure out which are differences between secure areas (A.11.1.5) and securing offices, rooms and facilities?

  • BCP- IT Disaster recovery

    Hi, I am looking for a tool to help map or link the upstream and downstream dependencies from a business process and systems perspective..can you help?

  • Risk of identifying too few risks

    One quick question - is there any risk of our identifying too few risks that we think require treatment? Our risk assessment identifies around 200 scenarios (though we may decide that a large share of these are outside of our scope). For most of these, we have controls in place already and are willing to accept the residual risk. There are just a small handful where we think it would make sense to introduce additional controls. Is this something that an auditor would look askance at?

  • Integration suggestion on QMS (AS9100) & ISMS (27001)

    For a company like us (***), how do we define the scope, I mean what are our inclusions and exclusions in the scope of ISMS

  • Defining Scope

    1. How to define Scope

    2. Can we say that a company is certified if it is just a part that meets the standards?

    3. A company that builds an IT solution. Can we make a difference between its business infrastructure and the product infrastructure?
Page 169 of 544 pages