ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit AS9100 Product: EU GDPR Documentation Toolkit
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Position and Function of an information security specialist

    I would like to know the position/function that a graduate in information security can play and if ISO 27001 has a requirement in this regard.

  • SaaS products

    I was wondering if you had previous comments on scoping ISO 27001 for SaaS products.

    Say a company is in the business of providing SaaA cloud-based solutions, with developers in house utilizing cloud infrastructure, what would be SO 27001 certification look like? The processes/ Datacenter used for the development of the SaaS application is ISO 27001 certified? the product might have multiple releases.. so stay away from calling out product as scope? and focus on people, process, site and dev, test, prod environments as scope?
    And if the products are from multiple locations?

  • Filling templates

    A quick question as I am writing my company templates.
     

    1. Document Owner, Document Approver, and Document Reviewer: are they normally the same person?
    2. When should the name be noted and when the role/dept. ?  ( want to make dropdowns)
    3. Should Owner, Approver, Reviewer… all be on de Document? Or only author and owner?

  • A.7.3 Human Resource Security

    I have been going through the documentation but it seems to be incomplete. I started looking at Human Resource Security and it appears that A.7.3 is missing? It is listed in the Statement of Applicability but missing from the document area A.7 (A7.1 and A.7.2 are there, but not A.7.3) I haven't checked other areas as yet but are there likely to be other gaps?

  • Asset Inventory

    In your doc framework, there are two places where asset inventory is being used:

    1. In the Risk analysis – the main attributes of the pure asset here are name(and category) and the owner
    2. In A.8.1 – the attributes here are again name/category and owner, plus the result of the (last ?) risk analysis? 

    I am wondering, where the classifications infos for the assets are taken into account? In some other examples for the inventory I found in the web, the CIA classification values are also stored, as well as numerous additional infos like

    • process and org unit the asset belongs to
    • process owner
    • some flags for personal or customer sensitive data
    • CIA values
    • asset custodian (seems to be similar to the owner)
    • data retention period
    • users, location, etc, etc

    and in some examples, the records are different depending on the type of asset.

    Since we are SW developers in our DNA ;-) we are planning to build a little DB tool for the inventory and RA.

    The inventory structure you suggest with your framework, is it meant as the absolute minimum you require to survive an audit?

    So having more attributes will eventually make the assessment survey taking longer, but should not be a problem, right?

    Would appreciate some answers very much!

  • Asset Type in the Information Asset Inventory

    In your book you state ".. processes are not part of the asset inventory ..".

    And I cannot find processes in the predefined categories of the table in 05.1 of your doc framework.

    What is the reason for this? Are processes handled somehow separately? Or is it because we just should take into account the assets the processes consist of?

  • ISMS Scope

    We are using Google Cloud Services for all infrastructure and use other SaaS providers for e.g. identification services and financial status information on customers to the banks.
     
    Right now I'm working with the ISMS scope document and struggles a bit with the boundary of the scope.
    I assume Google IaaS should be outside scope as well as the SaaS services we use.
    This is not as clear as the example used in your doc. (private laptops and phones).
     
    Any guidance on best practices on ISMS Scope in our case would be greatly appreciated before taking the next step for us.

    (we would include the full company in the scope since we are very small)

  • Applicability of A.10.1 Cryptographic Controls

    Our organization uses Digital Certificates for Internet facing services, apart from that we do not use any cryptography. In this case, would A.10 be applicable to our organization?

  • A6 Internal Organisation

    In the Clause A6, we need to maintain contacts with the Superior Authorities and the special Interest Groups.

    Could you please explain this Point. If I understood right, we need to maintain contact with the Superior Authority of the State where we can report any Data Breach.

    How can we prepare the documentation of it?

  • COBIT, ITIL and ISO27001 comparison

    Hello ! is there any comparison between the COBIT, ITIL and ISO27001?
Page 198 of 544 pages