ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 9001:2015 ISO27001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • IS Manager role

    Please I will like to know the roles of IS Manager in any organization.

  • Document Control Procedure content

    In the procedure for document and record control doc, it says...

    “Each external document which is necessary for the planning and operation of the ISMS/compliance with GDPR must be recorded in the incoming mail register. The incoming mail register must contain the following information: (1) document number, (2) sender, (3) document name, (4) date of receipt, (5) name of the person to whom the document has been forwarded.”

    1. Is this something that is needed for ISO?
    2. How do I know which external documents are necessary for ISMS  compliance?
    3. Also is there an incoming mail register document as part of the templates?

  • Security awareness training

    Do you have any hint of what points to be taught in an awareness session to users?

  • Consequence and Likelihood after Risk Treatment

    We are developing our Risk Register using the Advisera Templates. We have to mention the values of Consequence and Likelihood after the Risk Treatment i.e. Residual Risk. Will application of a control reduce the “Consequence” as well.

    For example “Unauthorized Physical Access to data Center” may have a “High” consequence and “Medium” likelihood. After application of controls like CCTV/Door Lock we can reduce likelihood to “low” but will it reduce the “Consequence” as well.

    Even after the control is applied if there is a breach it will have the same Consequences.

  • Internal audit after certification

    Dear Advisera team, greetings. Just some clarification on the topic of the Internal Audits that one needs to do after the certification. Do we need to audit aspects of ISMS on the IA (like Leadership & Commitment (5.1))? I ask because the external auditors on the surveillance audit will for sure check the ISMS level of implementation on the business, but can I just check on annex A controls? What is mandatory (and what would you recommend)? Many thanks in advance.

  • Assets detail level and segregation of duties

    We ordered your ISO27001 toolkit to prepare ourselves to XYZ audit. Our company XYZ is XYZ employee company developing and licensing own software as SaaS. Dev ops infrastructure is hosted internally but all SaaS services are provisioned from AWS cloud. Employees in our company are divided into two groups sales/marketing and developer. Developers have several roles because they are developing software, administering the production system and to some extent provide customer support. Most of the admin processes (finance and payroll) are outsourced. Typical arrangements in companies that are about our size.
    1. I am struggling with 10.1 Risk assessment table level of details listing. Does the standard defines details assets or more importantly what is required in an audit. The catalog examples in the toolkit varies to very detailed to more general ones. For example can one asset be development operations system or do we need to break it down more in details like (eclipse as IDE, Git for version control, Jenkins for continues integration, Jira as task management, etc.). Similar question is our SaaS service can I describe it as one asset even though it has several technical components inside.
    2. Second question I have related to the separation of duties because we simply do not have enough development people to make strict roles between people because same people do make development and deploy version in production. Of course, there is well defined process to test and accept release candidate to be put in production.

  • ISO 27001 data center control requirements

     I have a question, what ISO 27001 data center control requirements for facilities and operations?

  • Implementing ISO 27001 in different countries

    We have a company with locations in 3 countries: Germany, Italy and the UK. Of course, we registered our company under 3 different legal names based on the country. So the main-name is always the same, but based on the country the name has a different name extension and therefore is slightly different in each country. We want to get ISO 27001 certified in all 3 locations/countries. Do we need to make 3 audits now in each country? Or is it enough to implement in all 3 locations and only do 1 audit which will cover all 3 locations? What possibilities do we have? / Any advice?

  • Screening requirement

    Can I used sampling method to meet the personal screening requirement ISO 27001:2013?

  • ISO 27001 data center control requirements

    I have a question, what ISO 27001 data centre control requirements for facilities and operations?
Page 196 of 544 pages