ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 9001:2015 ISO27001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk assessment and treatment plan

    Having carried out the risk assessment I have a number of risks that are the highest severity but lowest occurrence. Am I right in saying that the severity is based on the worst-case scenario that could occur based on the threat? For example, the threat that antivirus is not installed on a laptop. The worst-case scenario is someone gets our cloud admin permissions. However, this has never happened before as we do have antivirus in place just not the documented procedures. So it has the severity of the highest and occurrence of low. Due to the nature of our business, we want to have documented controls and mitigation in place for all our threats. This leads me to the treatment plan. We will put in place controls to treat this threat which I gave as an example. We will recalculate the risk evaluation after mitigation. Am I correct in saying that the severity and occurrence will not change in this case? Am I correct in saying the severity of the risk will never change just the likelihood of occurrence? Thank you

  • Intellectual Property Rights

    How can the Organization be ISO compliant to this Topic (Intellectual Property Rights)?

    For e.g. the Organization protects its Intellectual Rights but it needs to protect the Intellectual Property Rights of others as well. Should these be the Intellectual Property of all the interested Parties?

  • Laws and regulations

    I have seen this article on your website and I was wondering what this exactly contains. We work in a medical environment (XYZ) and would like to know if you manage a catalog with all country-specific laws.

    Article: https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/

  • ISMS performance indicators

    Estou buscando algumas referencias para preparar um documento onde serja utilizado como orientação para gestão de indicadores de performance, mas com viés em segurança da informação. Seriam indicadores para:
    Disponibilidade: links, servidores, serviços etc...
    Confidencialidade: Roubo, Fraudes etc...
    Integridade: Bkp, vírus etc...

    Caso tenha material que possa me apoiar na criação dessa norma agradeço, tbm se tiver mais exemplos práticos desses indicadores ajuda muito.

  • Business Continuity Plan for ISO 27001

    In the ISO 27001 Toolkit, we have the attached Template (Disaster Recovery Plan). My question here would be if we need only the attached Document to prepare our Business Continuity Plan for ISO 27001 Certification or we need to buy other related docs mentioned in the link below.

    https://advisera.com/27001academy/documentation/list-of-business-continuity-sites/

  • Becoming an ISO 27001 auditor

    It's not an actual license to be an ISO 27001 Lead Auditor? So if I have the certificate of this course can I, what certificate do I need, what license do I need to be able to do an audit in a company and get them ISO 27001 audited? This license will be able to do it or not?

  • ISMS and SaaS solutions

    1. How shall I deal with SaaS solutions such as Office365 and Gitlab.com when it comes to controls related to backups and business continuity. I don't think it is feasible to build an on-premise DR site for such a solution.
    2. Also, do we have to keep a backup of our emails or does it depend on the risk assessment and whether we accept such risk?

  • Template content - DRP

    Could you please elaborate more or put examples to this column under the Disaster Recovery Plan.

    https://www.screencast.com/t/nUHexNyo

  • ISO 27001 documentation

    Hi, I have a question regarding ISO 27001 documentation. Can I combine control docs together where it makes sense to do so or should they always be separate? For instance, I wish to put the individual user agreement, wireless user addendum, and mobile phone addendum under the same agreement? Is that allowed or perhaps bad practice? Thank you

  • ISMS audit results for ISAE 3402 Type II Audit/Report

    Do you think it is possible to use the output of ISO27001 controls/monitoring/records in an appropriate ISAE3402 Type II Audit/Report?

    In ISAE3402, the auditor checks results/KPIs of a predefined set of controls against control objectives for a given time period of the past and produces an „Assurance Report“.

    It sounds to me as if ISAE3402 is just only the „Check“ Part of the PDCA cycle of the ISMS?

    It would be great to combine the 2 Standards (provided the ISA3402 scope is Information Security related, of course) and simply use the controls which have been documented by the ISMS, and using the monitor output and internal audit output for the auditor.

    Is that common practice?
Page 193 of 544 pages