Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISMS scope - Not interested in ISO27001 accreditation
This is the first phase of ISO27001 for us. We dont plan on seeking certification but interested to align our environment to ISO27001.
Is it complusary to done a scope? Can we just go about implementing ISO27001 for our whole environment. We are a small orgnisation but getting bigger.
The idea is to initially implement ISO27001 framework orgnisation wide so when we expend we have good practices in place that will allow us to build on (expand on)
Do you see any risk/concerns with this approch? Is there a better way to go about? What are your recommendation?
-
SoA’s justification for the selection of control
I have two questions, first about SoA’s justification for the selection of control and second about secure areas:
1. If there is no risks from the risk treatment (thus nor risk treatment number for the control), should one use risks from the risk assessment (select risk numbers which have already treated by a control) for the justification for selection?
2. I have a hard time to figure out which are differences between secure areas (A.11.1.5) and securing offices, rooms and facilities?
-
BCP- IT Disaster recovery
Hi, I am looking for a tool to help map or link the upstream and downstream dependencies from a business process and systems perspective..can you help?
-
Risk of identifying too few risks
One quick question - is there any risk of our identifying too few risks that we think require treatment? Our risk assessment identifies around 200 scenarios (though we may decide that a large share of these are outside of our scope). For most of these, we have controls in place already and are willing to accept the residual risk. There are just a small handful where we think it would make sense to introduce additional controls. Is this something that an auditor would look askance at?
-
Integration suggestion on QMS (AS9100) & ISMS (27001)
For a company like us (***), how do we define the scope, I mean what are our inclusions and exclusions in the scope of ISMS
-
Defining Scope
1. How to define Scope
2. Can we say that a company is certified if it is just a part that meets the standards?
3. A company that builds an IT solution. Can we make a difference between its business infrastructure and the product infrastructure?
-
ISO 27001 + TISAX
Do we need to certify to ISO 27001 and TISAX since we already are certified to ISO 27001 for the past two years? We provide global engineering support to automotive industry.
-
SOA controls
I have a question around the SOA controls. Our company was certified last year on ISO 27001 and we have the surveillance audit coming up.
1. What happens in the case where we realize that some SOA controls that were marked as N/A during last years audit could actually be applicable...
2. What impact will it have on our surveillance audit?
3. Would we need to recertify before going for the surveillance audit?
-
Final Presentation of Project Results
In the Project Plan template, it has a place to enter a date for the Final Presentation of Project Results.
Who is this presentation to and should it be done before or after the self-audit? -
ISMS roles and responsibilities
If there is a documented appointment (in a google spreadsheet) by team leaders to their subordinates as ISMS champions but not signed acknowledged by the team members/subordinates. however, the team members appointed as ISMS champions attended the training for ISMS roles and responsibilities with proof of attendance is it tantamount to conformance to Clause 5.3 (Organizational roles, responsibilities and authorities) and Annex A.6.1.1 (Information security Roles and responsibilities)?