ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Needs and Expectations of Interested parties

    Are needs and expectations same or different for one interest party? If different are the needs and expectations both the requirements for the interested party stated example client. Or in the case of the client the needs are what organization wants from the client and what expectations does the client have from the organization?

  • Information security policy in contracts

    Does the information security policies have to explicitly be in the contract or is it enough if it’s in the employee handbook?

  • Feedback on Cloud Computing

    What says ISO 27001 about deleting information on cloud computing?

  • Training on ITIL

    by having my whole IT team trained on ITIl does it benefit getting 27001 compliance

  • BIA questionnaire

    I'm finding your tutorials very helpful!  I have a question for you: I'm assuming that I need to fill out the BIA questionnaire for each activity.  How do I combine all the different questionnaires?  Is there somewhere on your site that shows me how to do it?

  • Table Top Exercise /Drill Validity in meeting ISMS Certification

    ur organization has achieved ISO27001:2013 certification for few years. All the while, we have conducted the Full Testing for our IT Dr drill.
    Recently, we switched to the Table Top or Plan Walkthrough for our drill. Would this meet the ISMS certification requirements during the surveillance audit?
    As far as my understanding of Annex A.17.1 of ISO 27001:2013, a performed test or drill is considered already fulfilling the requirements.

  • How do I handle the risk of control?

    1. How does one put in the risk/control of the asset?

    I have read your website in terms of implementation isms for iso27001.

    First I have classified my assets, label them, checked the risk of each.

    Now how will this relate to the iso controls?

    That I don't understand is that the iso has annex, controls and some questions (or advice)
    Because... let me take an example of an annex
    Ok, let's say employees are also an asset. So  taking the annex 7.2.2
    "Information security awareness, education and training"

    All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.
    Does this mean one just has to educate the workers and partners on policies and then he is compliant to this annex?

    2. I watched one of your videos about ISO27001, whereby the speaker gave a simple method of risk assessment table. So what impact is that table having on the iso requirement?

    3. Assuming I have 10 assets but 3 are having a risk but 7 are okay.... which controls of the ISO27001 is this related to?

  • ISO 27001 implementation

    bom dia, estou adequando a minha empresa na LGPD, e porem na LGPD, entra a ISO 27001 e estou com duvidas por onde eu começo. e quais informações preciso colher.

  • A.8.3 Media handling

    I wonder about security controls in ISO 27001 A.8.3. Which one of them should also include paper as media?

    A.8.3.1 Management of removable media
    A.8.3.2 Disposal of media
    A.8.3.3 Physical media transfer

  • Nonconformities and corrections identified during and audit

    Can you record nonconformities and corrections in the same document that you are using to capture risks?  Example is that we have a risk register spreadsheet which covers all requirements and would like to only have one document capturing all of this if it is allowed.

Page 2 of 389 pages