Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk of identifying too few risks
One quick question - is there any risk of our identifying too few risks that we think require treatment? Our risk assessment identifies around 200 scenarios (though we may decide that a large share of these are outside of our scope). For most of these, we have controls in place already and are willing to accept the residual risk. There are just a small handful where we think it would make sense to introduce additional controls. Is this something that an auditor would look askance at?
-
Integration suggestion on QMS (AS9100) & ISMS (27001)
For a company like us (***), how do we define the scope, I mean what are our inclusions and exclusions in the scope of ISMS
-
Defining Scope
1. How to define Scope
2. Can we say that a company is certified if it is just a part that meets the standards?
3. A company that builds an IT solution. Can we make a difference between its business infrastructure and the product infrastructure?
-
ISO 27001 + TISAX
Do we need to certify to ISO 27001 and TISAX since we already are certified to ISO 27001 for the past two years? We provide global engineering support to automotive industry.
-
SOA controls
I have a question around the SOA controls. Our company was certified last year on ISO 27001 and we have the surveillance audit coming up.
1. What happens in the case where we realize that some SOA controls that were marked as N/A during last years audit could actually be applicable...
2. What impact will it have on our surveillance audit?
3. Would we need to recertify before going for the surveillance audit?
-
Final Presentation of Project Results
In the Project Plan template, it has a place to enter a date for the Final Presentation of Project Results.
Who is this presentation to and should it be done before or after the self-audit? -
ISMS roles and responsibilities
If there is a documented appointment (in a google spreadsheet) by team leaders to their subordinates as ISMS champions but not signed acknowledged by the team members/subordinates. however, the team members appointed as ISMS champions attended the training for ISMS roles and responsibilities with proof of attendance is it tantamount to conformance to Clause 5.3 (Organizational roles, responsibilities and authorities) and Annex A.6.1.1 (Information security Roles and responsibilities)? -
ISO 22301 gap analysis
We are currently working on a gap analysis, but I can’t seem to find much information about that, regarding the ISO 22301.
I am sure it is like ISO 27001 but do you also happen to have more resources or templates about gap analysis for 22301?
Maybe I just missed it form the template packages. -
Internet Access
With reference to the document ‘A.8.2_IT_Security_Policy_Premium_EN’ under ‘3.13 Internet Use’
Is it mandatory to define access to the Internet, only through organization and not direct access?
If yes, how do we restrict/ define actions for email services, cloud platforms which in general are accessible from the direct network?
If no, what set of restrictions are defined to comply with the requirements of ISO 27001?
Please let me know if more clarification required. -
Non-Conformity 10.1 and 10.2
1. Since we already have the Templates for the Topic “Non-Conformity 10.1 and 10.2” in our Toolkit, Could you please give some examples of kinds of Non-Conformity.
2. Can the Main Deviations marked by the Lead Auditor in Pre-Audit be taken as Non-Conformities?