ISO 27001 & 22301 - Expert Advice Community

Difference in clauses

When I read ISO 27001 I had one question, I wanted to inquire about it, what is the difference between clause (6.1.2) and clause (8.2), as well as clause (6.1.3) and clause (8.3), is it just a repetition of the information? Please explain. Thank u very much

Question about policy

1. Is there any document showing how to link policies? That is which policies are dependent on which policies?

2. How to show risks of inadequate leadership in a nice way.

Disaster recovery plan difference

1. Can you please advise what the difference is between the EN and the cloud documents (screenshot below)? The READ THIS FIRST does not explain. I checked the Table of Contents. Is it for different scenario’s depending on if existing systems are cloud-based or on-premise? Apologies but I thought it would save time to ask.

2. Also, I can open the files on my personal computer but when I copy them to my organizations network, they won’t open even when I rename them They must be blocked by our own security filters.

Objective for certification the university

5 clear objective for certification the university would like to achieve according to iso22301 that is the questions

Annex A

1. ISO 27001 Annexe - I have a question regarding A 14 System acquisition, development, and maintenance. We are a software development company. Does this part apply to software we develop (as a business) or only for internal soft we could develop I mean for internal use?

2. ISO 27001 A 15 - May I apply this measure to the Critical IT supplier Only? Or should I apply to all suppliers?

3. In annex A can we justify that we do not choose a measure by saying "company capacity is to light" or things like that?

Fast-track information risk assessments

Hi,

I have very limited time to conduct risk assessments - usually no more than an hour at most.  I think it is important to hold a face-to-face consultation to capture the initial info then follow-up by e-mail for further details to cover the inevitable gaps.

How can I make the best use of the F2F time I have - what are the right questions to be asking when using a basic asset-threat-vulnerability methodology? 

I appreciate this will be subjective and depends on lots of other factors - I'm just looking for a general approach at this point.

Thanks,

Brian.

ISO 22301 Communication Plan

We have sourced the ISO 22301 documents from Advisera. Our Corporate Communications team is asking me to create a "Communications Plan and Crisis Management" Document as part of our BCP update. I don't really see any type of template for a communication plan. Is there one in the ISO 22301 suite of documents? Thank you.

Question about PII data

What about PII Data? It´s necessary to get a Policy or just to make a refence to the laws

Annex A

1. I love your videos. I want to be clear on something. How do the clauses and the Annex A controls work together for ISO 27001?

2. Please does the workshop explain and takes a person through the implementation process.

Cryptography Controls

Can you explain the implementation of cryptography control?

1. Which areas we need to implement in an organization.

2. Example of encryption and decryption policies.