ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit AS9100 Product: EU GDPR Documentation Toolkit
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Adoption of ISO 27001

    1. We have been told by a client (a bank) that we need to become ISO27001 accredited as a company to meet their security standards.
    But we are only a small organisation and do not have in-house IT people.
    Would you recommend we contract an IT consultant for some time and use your framework?

    2. How do you work with clients like us? I’m not sure where to start.

  • Template content

    We need some guidance in understanding and applying one section of your template for the Acceptable Use Policy, §3.14 — E- mail and other message exchange methods.

    The final paragraph of that section requires that “Each e-mail message must contain a disclaimer, except messages sent through communication systems determined by IT Manager. Should a user post a message on a message exchange system (social networks, forums, etc.), he/she must unambiguously state that it does not represent the organization's viewpoint.“

    It is not clear to us the intended purpose or scope of this requirement. Does it apply to both business and personal messages?  We state elsewhere that only business communications may take place over the organization’s information exchange systems. Is it referring to postings on social mediatalking about the company which should state that it does not represent the organization's viewpoint? Can you give us examples of the kind of disclaimer that is intended here? I find no direct reference to this within ISO 27001.

    Is this really two separate requirements?  One for all e-mail communications stating privacy requirements that we often see at the bottom of incoming e-mails, and another requirement stating that someone's personal opinion does not necessarily represent the organization’s viewpoint. Can you please help us understand this requirement so we can establish the appropriate controls.

  • Developing documents

    How to develop documents to meet the below audit requirements and also the best way to provide answers to each of the requirements during an audit.1 Management commitment including policy, Roles, Responsibilities & Authority 2. Cl: 7 Support including competence, awareness and control of documented information.3. Business continuity strategy including resources requirement4. Context of organization.

  • Roles and Responsibilities document

    Where would we include a listing of Roles and Responsibilities? Should it be included on one of the mandatory documents, or in a separate document? Or, is it even neccesary at all?

     

  • BIA and RTO

    So, I would like to ask you some questions about BIA:

    1. How to determine RTO? It is clear for MTPD.
    2. Who determines RTO? Department responsible for critical activities or Department responsible for resources supporting critical activities (IT, logistics, …)?
    3. About your example during the webinar, if RTO of IT is 8 hours and RTO of one critical activity is 4 hours and this one depends on IT. So which RTO will be considered?

  • Procedure for Document and Record Control

    This question is regarding document scope, especially as it pertains to section 3.2 Document Approval.

    In our very small organization, all ISMS specific documents would be reviewed and approved by two individuals. That I understand, no problem. But for client work/project related documents that are created such as project plans, creative files, copy decks, etc., often times there is no review and approval process needed. Documents are created by the employee and sent to the client.

    How would that be described in section 3.2? Do I describe an "exemption" for review and approval of client project work files?

  • Cyber-attack contingency plan template

    Do you guys have a cyber-attack contingency plan template?

  • ISO 27017 certification process

    My first question is about the formal process for a company to get certified ISO 27017 if it is already certified ISO 27001. It is just about asking the audit provider to verify the additional questions and deliver the “statement of compliance.”? Or there is a certification that the company should conduct a proper and distinct audit to have it? My second question is: Can a company say that it is certified for the information security management for the cloud computing services just with the ISO 27001/27002?

  • Video Tutorials not aligned to downloaded document

    I am using the vide tutorials to complete my documents downloaded.  However they do not align completely.  I am currently looking at the ISMS Scope tutorial and the document being used in this does not align with the document we have purchased.  

  • Template content

    In the file 00_Verfahren_zur_Lenken_von_Dokumenten_und_record_27001_DE.docx there is a comment from you "Delete if the declaration of applicability precludes measure A.8.2.1 according to ISO 27001." Where are the measures, I have to read the measures first so that I can exclude them?
Page 191 of 544 pages