ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit AS9100 Product: EU GDPR Documentation Toolkit
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk Assessment

    To start, during our last discussion you mentioned we could email you with any questions we have.  If your inbox isn’t the right place to direct these to, please let me know the alternative address.

    I had two general questions:

    (1) Our product as a service platform can be thought of containing multiple modules (this is primarily a marketing and sales spin).  Each module can be thought to perform a different feature (i.e. dashboard module, data dissemination module, data transformation module) but these are all driven by a single code base.  When doing the risk assessment, should these be thought of as separate assets?  Or should they be represented by a single asset (i.e. *** platform)?

    (2) The scope of our ISO is the "handling of customer data (ingestion, storage, dissemination)”.  In the risk matrix, we’ve already called out assets (and done the threat/vulnerability breakout) including:
    - employees
    - contractors
    - management
    - office
    - data centers
    - network
    - laptops
    - mobile phones
    - application software (codebase)
    - licensed application

    Is there value to auditors to specifically call out assets for each of ingestion/storage/dissemination?  Or should they be worked into the existing assets (i.e. ingestion would exist under datacentres). Ingestion / storage / dissemination are technically “processes” (not assets) so on one hand I’m hesitant to list them as assets, but on the other hand they are important portions of the scope and so calling them out might help the focus of the audit.   Can you share your thoughts on this?

  • Compliance with the access control policy

    Hi, quick question now that you have the COVID-19 how do you stay in compliance with your access control policy? (meaning access cards, biometrics, etc)

  • Checklist of Mandatory Documentation Required by ISO/IEC 27001 (2013 Revision)

    I was checking this White paper: Checklist of Mandatory Documentation Required by ISO/IEC 27001 (2013 Revision)

    On page 2 it refers to Definition of security roles and responsibilities A.7.1.2, A.13.2.4

    Is there a mistake to the reference?

  • Finding internal and external auditors

    We’re still several weeks away from being ready for an internal audit, but I have questions about the internal and external audits that I wanted to ask now in case it takes us a while to make the necessary arrangements.

    1. First, we’re thinking of hiring an auditor with who has experience doing ISO 27001 audits to do our internal audit because this seems like this will give us a better sense of how the external audit will go (thought let me know if this logic is flawed for any reason). Do you have any resources you could point me to on hiring an auditor for the internal audit? Or any tips on how best to find someone?

    2. Second, do you have any resources you could point me to on finding a certification body? In particular I believe we’ll want to find one that has auditors in ***. We won’t have any operations in *** until after we get certified (we need to be certified before we're allowed to start work there). But once we start operating in *** there I assume we’ll need an auditor to visit our office there for follow-up audits in 2021 and beyond (again, please let me know if any of these assumptions are wrong).

  • ISO 27001 Risk Assessment

    Can we perform risk assessment without writing threats and vulnerabilities? Only writing risks?

  • Implementation of ISO Standard in software

    I hope that you can help me or possibly refer me to the right address to solve my problem.

    We are working on developing software for documentation, management, and planning of LAN / WAN networks. Our clients are mostly ISPs, who use our software to document passive infrastructure. We received a request for a "history" module in which "certain" changes in the database will be saved and which is necessary for ISO certification, in order to determine the status before the change itself.

    Unaware of the certification requirements, we are unable to find out what changes to facilities (buildings, cables, pipes, services, etc.) are important, and what information we need to validate and store.

    I hope that I have managed to bring you closer to the topic of this problem.

  • Project Plan

    I have drafted my Project Plan.  I have a couple of questions:

    1. Although my tool kit is supposed to include ISO 27001, 27017 and 27018, the Project Plan template only refers to 27001 and Business Continuity.  Should it not include all 3?  My concern is that I am missing something in the project plan because the template does not talk about all 3.

    2. I am also confused about Business Continuity.  Does that need to be in or not?  You have taken it out in the demo.

    3. There is no section in the Project Plan for training.  Should this not be part of the Project Plan?

    4. Should there not be a section on the test audit date as well?

    5. It seems like the Project Plan is just about completing the documents and nothing else.

  • A.5 and A.8 elements

    Our organization had purchased the ISO 27001 from Advisera last year, I am in need of your assistance pertaining to ISO 27001 packet and its documents within.

    While implementing elements of ISO 27001/A.5 and A.8 elements, few of my results pointed to the following documents/forms, however, they are NOT available in the ISO 27001 packet we purchased.

    How do I obtain the following list of documents so that I may complete my asset management and controls?
        A.7.2.1 - Management responsibility
        A.8.1.3 - Acceptable use of assets
        A.9.1.1 - Access control policy
        A.12.3.1 - Information backup
        A.13.1.3 - Segregation in networks

  • Chemical lab test

    What are the measures which should be followed in a chemical lab for assuring the quality of the test?

  • User Account Responsibilities

    I have a query in the “IT Security Policy” document.

    3.6. User Account Responsibilities

    The user must not, directly or indirectly, allow another person to use his/her access rights, i.e. username, and must not use another person’s username and/or password.  The use of group usernames is forbidden.

    Query: As per the clause ‘A.9.3.1’ the individual users shall have and secret authentication information. We are manufacturing firm and use shared assets.

    1. How do we comply to this clause?

    2. Is it necessary to have written on this clause in the policy?
Page 171 of 544 pages