Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

ISO 27001 & 22301 - Expert Advice Community

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • How to treat risk with own control?

    Can you please tell me how we can treat a risk in the risk register with an own security control (not one of the controls of Annex A)?

  • SoA 2022 version

    Hello, I have a question regarding Annex A controls. We are going to certification in Autumn 2023. Can we use the new set of Controls for our SoA, even if there is still no accredited certification body for 2022 version? 

  • Contractual obligations

    Hi Dejan!

    I hope you are well and don’t mind me reaching out. I am in the process of drafting legal and contractual obligations for the company ISMS and wanted to ask if you would kindly be able to share an example of each?

    I’m struggling to find examples online, particularly for contractual requirements and how this should be documented.

    It would also be good to know in your experience, the average number of legal and contractual obligations a medium sized organisation would usually need to have.

    Any help would be greatly appreciated.

  • ISO 27001 applicable legislation

    Are you able to advise on applicable laws and regulations in scope for ISO 27001 in the UK? If unable to confirm on applicable law on specific countries, then can you please advise on the standard regulations?

  • Change Management in Conformio

    Good morning. Please advise as to whether there are procedures regarding Changes required in Documents within Conformio, for example, artifacts pertaining to ISMS. If so, are they related to a Formal Change Management Procedure? If so, where is this Recorded?

  • Residual risk

    Thanks for a very informative webinar on risk assessment. I have 3 questions please:

    In your experience what would you say about multiple risk assessments for in-scope Business units as opposed to one asset-based risk assessment for the company? I ask because I work for a large company with over 3000 employees and it’s hard to do one risk assessment for the entire company as different assets are owned and managed by different teams/Business units, and these even overlap sometimes, e.g. an asset may have multiple owners.

    How would you determine the residual risk scores after you have implemented the controls to manage risks identified? Do you create another 2 columns for impact and likelihood after the initial impact and likelihood assessment that resulted in the inherent risk scores?

    In terms of scoping the risk assessment you mentioned using our ISMS scope statement but our scope isn't based on assets but on processes?

    I look forward to hearing back from you.

  • CISO role vs ISO 27001 implementer

    For a new startup , we are hiring a CISO. At the same time we need help with the implementation of ISO 27001 as well. Is it fair to expect a CISO to implement new ISO policies, procedures, training, asset risks and risk maps. On a scale of 1-100, we are about 30 in terms of implementation. Question is do we still need a consultant for implementation. We are about to interview candidates for CISO, What can we ask him to convince ourselves that he can do both. Do they generally come with the implementation skill or they would be asking for an additional consultant

    Appreciate some feedback on this. I enjoy reading your book a lot.

  • Implement ISO 27001 & ISO 22301- ISMS and BCMS Manual

    Please clarify I couldn't find ISO 27001:2022 ISMS manual and ISO 22301:2018 BCMS Manual in your package, in the List_of_documents_ISO_27001_ISO_22301_Premium_Documentation_Toolkit_EN also it's not mentioned. I need both ISMS and BCMS manuals.

    Here in *** market clients want ISMS manual and BCMS Manual to get supplier registration process of client.

  • Filling Procedure for Document and Record Control

    I am making a start on the documents, and I have started with 01 Procedure for Document and Record Control.

    In the “purpose and scope and users” section https://i.imgur.com/wFfvKs9.png

    We are doing both ISO 27001 and ISO 22301 together so do we:

    1. Take our Business Continuity Management System and leave ISMS to cover the two, or
    2. Put an “and” in between ISMS and BCMS so we include the two?

    I hope this makes sense. 

    Look forward to your expert opinion

Page 18 of 542 pages