ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 9001:2015 ISO27001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISMS operation before certification

    I just have one big question. How much time ISMS has to operate (month, days, years) in order to get certification?

  • Risk Assessment

    I have two questions regarding the Risk Assessment Table.

    1.  We are preparing this table for the first time. When listing an asset, is it ok to use a generic category for the asset so that it includes multiple real assets, or must each real asset be listed individually? For example, if I have 10 desktop computers, must each be listed separately or can I make one entry for "desktop computer" assuming the risks are the same for all 10?
    2. My second question is about the existing control column. Is it ok to list a preventative measure that has not been documented in a policy, or must it be an explicit control that is documented? For example, if I have a server that is vulnerable to power failure, can I list the existing control simply as "the server is plugged into a UPS" or must I site a policy document that indicates all servers must be plugged into a UPS? Again, this is the first time this document is being written, and we understand that we will need documented controls for the Risk Treatment Table.

  • ISO 27001 2019 review

    Is the information on the following link still relevant?

    (https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision)

  • Assignment of documents

    Hello,
    we use XYZ as our document management system. I have mapped the structure of the ISO 27001 Standard in XYZ. 
    This means that I store all documents of the nom chapter 4.1 in XYZ. I now have the problem that I did not know where to file documents for Annex A. So the password policy concerns the sections A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.3. But how and where do I store them in XYZ? Does this belong in separate subchapters of chapters 8.1 or how do I do it best?


    I would be pleased about quick feedback

  • BCM framework and policy

    Currently, I am drafting BCM framework for my small organization which is on SAAS platform. We have multiple sites as well with in XYZ and XYZ as well.

    May you please give me some inputs/ guidance, how to draft the framework and policy and what points to consider keeping in mind SAAS.

  • Level of information classification

    Hello all, I wanted to know what would be the most appropriate level of information classification given to the sensitive and Non-sensitive PII.
    Are they considered confidential or less? or just restricted?

  • Business continuity management questions

    Hola, trabajo en consultoría en sistemas de gestión y quiero informarme información en este manual de continuidad del negocio, consultas: que tipo de incidentes pueden disirumpir el negocio? solo hace referencia a la seguridad de la información? o se debe identificar riesgos asociados al negocio especifio. Teniendo en cuenta que viivimos en Uruguay pais donde no hay terremotos ni volcanes, ni nieve solo puede haber una tormenta fuerte, el alcance de esto esta orientado aplanes de emergencia y evacuación y seguridad de la información?

  • Documenting policies

    I would like your advice on whether or not you feel we need to have a separate document that outlines BYOD and Teleworking or it would be sufficient to put these policies in our Staff Handbook which is quite extensive.

  • ISMS documents

    The website does give a preview but not of all documents.  The web site, however, advertises that all documents are provided: https://www.screencast.com/t/ShGCKdye1

    Logically, the controls documents (or at least a listing of the appropriate information in the documents) are required for completion of the project for certification; otherwise, I am flying blind.  Yes, the consultant support is nice, but I cannot reference a consultant all the time.

  • Risk assessment and treatment

    We had purchased Advisera’s ISO 27001/22301 documentation toolkit. With regard to the risk assessment and treatment score, our consultant wants to adopt a different matrix for preparing the risk register since he has not come across the scoring methodology you have suggested in the attached document.

    Could you please confirm that the scoring method you have given us (for the likelihood, severity and risk scores) is an accepted method by certification bodies since we do not want to face problems with our certification body?
Page 194 of 544 pages