Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Certification ISO 27001
How long must a sgsi (ISMS) be operating to pass the certification process
-
Measures and Metrics
We have been struggling to get our measures and metrics right. Is there any best practice or education around measures and metrics?
-
How to control data tape movement during COVID19
We are ISO certified organization and due to COVID 19, we are not able to comply controls i.e. backup tapes movement from one location to off-site location
How do we address this? Is there any advisory published by ISO / any template /format where we can mention this and take approval from management & it will be helpful during the audit as well.
-
Corrective actions
How an auditor can verify that agreed corrective actions have been effectively implemented?
-
Internal Audit - choice of auditor
Is it typical in smaller companies (50-100 employees) that for the internal audit an external auditor is being hired? Or should you be thinking of somebody internally in the first place anyhow?
-
Business Continuity Policy 22301
1. I'm reading the Business continuity Policy according to ISO 22301; I Don't understand why it is written, "Because in many cases the executives have no idea how business continuity can help their organization, which means they won’t be particularly interested in supporting the business continuity effort in their company."
How it can be possible?2. If they are not involved that plant will be closed?
-
8.1 Operational planning and control
Since the Clause itself says “The organization shall keep documented information to the extent necessary to have confidence that the processes have been carried out as planned.”, does the Document in your Toolkit “Project Plan” fulfills the requirement of this clause? Since we will be planning the different phases of ISMS implementation in this doc and carrying out accordingly, do we require any other Documented info as it is a mandatory Doc to avoid major non Conformity. -
BCP and DR
Hello, I am having a hard time understanding the difference between BCP and DR. I know for our ISO cert we have to include a.17.4.6 right? That is the Disaster Recovery Plan, but our certifier is saying we do not have to complete the Business Continuity Plan, which is the rest of a.17, why is that?
-
Is there any process flow chart available that can be used for an audit process?
Many thanks for offering the Lead Auditor ISO27001, I was wondering if one has to start an audit, is there any process chart that can be used as guide ( like a flow chart )
Define Scope --> Review ISP and related documents --> Perfrom SOA --> etc
Something similar to Diagram of ISO27001 Implementation process but for conducting an audit
Cheers
Alex
-
Questions about risk
Whilst attending your ISO/IEC 27001 Lead implementer course, the following question (which actually consists of two subquestions) has arisen:
After risk assessment (in which I have considered also already implemented controls in order to reduce likelihood and/or impact) I still have a small number of unacceptable risks (i.e. with high-risk level).
Now I have to choose between available risk treatment options. I decide to apply further controls (although I think I could also choose risk acceptance as a risk treatment option and as a result to simply live with risks due to my risk appetite). I pick up 2-3 applicable controls (although there are more applicable controls in Annex A which I do now wish to adopt) from Annex A which will be implemented in the risk treatment plan later on.First subquestion: Is my thinking process aligned with ISO/IEC 27001 requirements?
Second subquestion: I now have to create the statement of applicability. Can I only consider (in the SoA) those controls which I have considered as significant for reducing my unacceptable risks OR is it mandatory to implement also controls (from Annex A) which I regard (according to my opinion) as not really useful or which I simply do not wish to apply?