ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • ISO 27001 Foundations Course comment

    “List of all the controls from Annex A and any additional controls that might be identified in the risk treatment process”

    “all the controls from Annex A ” means the 114 controls.

    So this should be false and the quiz consider it true.

    I know it’s meant this SELECTED controls from Annex A, but that is not what is written.

  • Managing records kept on the basis of documents

    Hi Advisera,

    a lot of records (e.g. Risk Treatment table, or SoA) that should be created and managed should be according to templates in pdf format. I understand that. But there is a version history in Office365, so that we can check whether they were some unauthorized changes. Is that enough, I mean storing the records in Excel or Word form, not pdf, but with a version history turned on?

  • Network controls

    The ISO 27002 requires (in A.13.1.1) Control: „Networks should be managed and controlled to protect information in systems and applications“.

    I am interested in particular for items f) and g).

    What is meant by “systems on the network should be authenticated“ / „systems connection to the network should be restricted“ ?

    What is meant by „systems“ ?

    Can you please give me some example for better understanding ?

  • ISMS Manual contents

    I'm currently guiding an ISO27001 implementation project and aiding people in my team understanding what documentation needs to be done. A topic that comes regularly is the need for an ISMS Manual. I understand this not a mandatory document and to be honest it takes in lots of repeated (summary) information already in other documents of our ISMS.

    However, I understand some concepts written in this manual may be useful, such as explaining our Information Security organisational structure and the documental framework of the ISMS (what documents do we have, how do we split them into policies, procedures, work instructions, etc.).

    What do you recommend for documenting this type of info?

  • Changing career to Lead Auditing from LIMS company

    Hi. Been working as a part time Consultant for *** for close to 6 years now.
    However, a friend told me about Lead Auditor late last year and really got me interested. 
    I do not have experience in Information System Security or a lot of Information security given that *** is a LIMS company.

    Please advise how I can change my career to Lead Auditing from Laboratory Information Management Systems configurations.

  • ISO 27001 corporate vs business functions

    I wonder whether you could advise me, We are planning to have a ISO27001 assessment but assessment team is planning to audit the Business function assets as well. However as far as I know ISO27001 is dealing with Corporate functions only (workplace, HR, IT, Procurement...). Could you let me know whether my understanding is correct? Is there any article already written on this please?

  • How to prepare an audit?

    How would you approach preparing for an audit taking place in 8 weeks, what would you prioritise, how would you ensure non-conformities are minimised

  • ISO 27001 Lead Auditor certification paths

    Could you please help me to understand the difference between the ISO 27001 LA certificates according to the different paths you describe?

    I think I don't understand the principal differences of:
    1) ISO 27001 Lead Auditor certificate I obtain if I pass the appropriate exam provided by you and certified by Exemplar Global
    2) Any other ISO 27001 Lead Auditor certificate (e.g. issued by PECB) that is provided only after going through all the steps described here:
    I'm concerned because I need the certificate to be able to conduct internal audits for the clients, but for now, I have only 1 year of professional experience (in ISMS) and PECB, for instance, provide Lead Auditor certificated only if you have at least 5 years of experience (including 2 years in ISMS).

    I would greatly appreciate your support.

  • ISO 27001 audit and implementation

    New to the ISO 27001 space, on my first day with my first client, what discussions do I need to engage in, what do I need to do, what to ask, who to engage etc. to commence 1) an ISO 27001 audit 2) ISO27001 Implementation?

  • Information Classification Policy - “labeling” of information

    I am going through the documentation and have a question regarding the Information Classification Policy.

    More precisely regarding “labeling” of information. I would like to stick as close as possible to the default document.

    However, as a B2B communication agency almost all information we manage (and that is a lot) can be classified as “Internal use”.

    Is it ok to specify that all “(unlabeled)” or “INTERNAL” labeled information is to be considered “internal use”?

    So that we can avoid needing to label just about everything with the same label.

    Could can an alternative be to use “(unlabled)” for “internal use” and “public” for “public” assets?

Page 2 of 428 pages