ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Risk Assessment ISO 9001 Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit ISO Product: ISO 27001 Internal Auditor Course
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • BCP and DR

    Hello, I am having a hard time understanding the difference between BCP and DR.  I know for our ISO cert we have to include a.17.4.6 right?  That is the Disaster Recovery Plan, but our certifier is saying we do not have to complete the Business Continuity Plan, which is the rest of a.17, why is that?

  • Is there any process flow chart available that can be used for an audit process?

    Many thanks for offering the Lead Auditor ISO27001, I was wondering if one has to start an audit, is there any process chart that can be used as guide ( like a flow chart ) 

    Define Scope --> Review ISP and related documents --> Perfrom SOA --> etc

    Something similar to Diagram of ISO27001 Implementation process but for conducting an audit 

    Cheers

    Alex

  • Questions about risk

    Whilst attending your ISO/IEC 27001 Lead implementer course, the following question (which actually consists of two subquestions) has arisen:

    After risk assessment (in which I have considered also already implemented controls in order to reduce likelihood and/or impact) I still have a small number of unacceptable risks (i.e. with high-risk level).
    Now I have to choose between available risk treatment options. I decide to apply further controls (although I think I could also choose risk acceptance as a risk treatment option and as a result to simply live with risks due to my risk appetite). I pick up 2-3 applicable controls (although there are more applicable controls in Annex A which I do now wish to adopt) from Annex A which will be implemented in the risk treatment plan later on.

    First subquestion: Is my thinking process aligned with ISO/IEC 27001 requirements?

    Second subquestion: I now have to create the statement of applicability. Can I only consider (in the SoA) those controls which I have considered as significant for reducing my unacceptable risks OR is it mandatory to implement also controls (from Annex A) which I regard (according to my opinion) as not really useful or which I simply do not wish to apply?

  • Data Integrity

    One question I had in regards to the security clauses was, how does the ISO 27001 ensure us data integrity?

  • A.9.4.4 Use of Privileged Utility Programs

    A.9.4.4 Use of Privileged Utility Programs Audit Question : Have you documented how your organization restricts and monitors the use of utilities on systems that may be able to bypass system and application protection measures? Can you please explain this Point. Does it mean that the Organization needs to keep a check on the limited no of Privileged Rights?

  • Advice on dividing workload

    I will be working on the ISO 27001 for *** together with my colleague, and we are having trouble with dividing the workload between us. Every document in the package, and every corresponding clause in the norm, seems to be an extension of the preceding one. The formulation of the policy, for example, has to be built on the definition of the scope. This makes it complicated to work on the documents and clauses separately. Do you have any tips or advice on this issue?

  • Conformio dashboard

    I need a bit more clarity with some actions on the conformio dashboard. 1. What does " Determine required communication" mean and how do we show compliance 2. How do we show compliance to the "introduce no-blame security culture"

  • Control A7.1.1

    Control A7.1.1 is partially applied to Brazil under the law. In this case, can I put NO in the SOA and explain this or do I have to put YES and explain the exceptions?

  • ISO 22301 planning phase

    Element of iso22301 that need to be considered in planning phases

  • ISO 27001 exam

    I am your student at Advisera and just started going through the course now. So far it has been a great experience. Any possible way I have to leave a feedback, I am happy to do so.

    Very soon, I am expected to take the Lead auditor exam and sort of lost now as I am unsure which exam I should take. My key requirements are that I need to take iso 27k1 LA certification that is not very expensive and does not expect me to attend a mandatory training program (As I am planning to go through yours)

    I have been told for the PECB iso 27k1 exam, I need to attend their training and the same is the case for another one IGC.

    Based on your expertise and experience, can you please advice me on the following:

    1. Is there a significance in selecting the right body for certification. For eg. should i select Exemplerar/PECB/BSI compared to IGC (As IGC is perhaps not that well known) and does it have an impact on the CV.

    2. Can you please point me to the right exam provider that does not need me to complete the exam compulsorily and advice what is perhaps the best one (both from a cost and recognition standpoint)
Page 182 of 544 pages