ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit AS9100 Product: EU GDPR Documentation Toolkit
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Template content

    Is It necessary to maintain the below-mentioned Column in the Advisera Templates? It means we can attach here any relevant Documentation relating to this Template. For. Eg. Disposal_and_Destruction of Devices. If we do not maintain any such document of hardware Scrapping, then do we have to maintain that Document and mention it here? 

    Will it be advisable to delete this Column if we do not have any supporting document of the particular Topic?

    Here like in this Template in Point 4, it is mentioned as "Managing Records kept on the basis of this document".
    It means we can attach here any relevant Documentation relating to this Template. For eg. Disposal_and_Destruction of devices. If we do not maintain any such document of hardware Scrapping, then do we have to maintain that Document and mention it here?

    Will it be advisable to delete this Column if we do not have any supporting document od the particular Topic? Or is it mandatory to maintain this Column for the Documentation?

  • Performing risk assessment and risk treatment

    I’m interested in necessary steps regarding risk assessment (and following), should be taken when existing asset is removed from the company.  Ig, it was decided that power generator is no longer needed, and possible power failures will be covered by UPS.

  • ISO 27001 - what to do after certification

    1. Just a quick question. After you go through all the steps in the ISO27001, and after you get the recertification, do you need to redo a risk assessment every year? Or do you just follow-up on the risks?
    2. And risk-wise, do you do a threat modeling/profiling to better capture risks or what would you recommend?
    3. And finally, what would you recommend to do yearly (and plan yearly) so that the certificate is kept in good health? Thank you very much in advance, any help is indeed greatly appreciated.

  • Documents implementation

    1. As part of ISMS implementation, do we have to make all the Advisera Templates be read and understood by all the colleagues in the Organization after filling up the Templates or just only Information Security Policy Document?
    2. In every doc, it is mentioned as “Users of this document are [job title].” So here should we mention the concerned approver or the Person e.g. (CISO or all the User in the Department).

  • Compliancy officer, DPO, and CISO

    How would you describe the differences and overlaps between the jobs of a Compliance officer, DPO, CISO?

  • Handling assets

    When identifying assets, can I lump them together or is it each one individually that needs a Risk Assessment completed?

    Eg. 10 Servers are identified as critical assets. Can I do a Risk Assessment on Servers or do I need to list CLIENTSVR01 in the risk register.

  • ISO standard for physical security

    I'm actually looking for an IOS standard for physical security rather than ICT security. If you could advise me if an IOS standard exists for physical security I'd be very keen to look at how this might be implemented.

  • Certification bodies in Germany

    From whom do you have the ISO 27001 implementation in Germany certified in Germany? From the TÜV?

  • List of legal requirements

    Since we have to list all the List of Legal, Regulatory, Contractual and Other Requirements in the attached form, do we have to list all the Regulations and the laws listed under the Particular Country(see Link Below). For eg, In the case of Germany, while listing the requirements do we have to list all the requirements listed under Germany in the attached Document?

    https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/

  • Roles in ISMS

    I have been appointed to help the company get ISO and EIDAS certification. I have to start from scratch as I know NOTHING about security or compliancy… So this newborn Compliancy Officer hopes she can turn to you to help her – I am very nervous about the whole thing. I purchased the toolkit and I am currently working on WIP00_Procedure_for_Document_and_Record_Control_Integrated_EN

    The questions I have:

    1. “Mail significant for the planning and operation of the ISMS/compliance with GDPR” should be recorded. This can be an exell on our Sharepoint or an actual paper/pen notebook at the office I assume. What would, in reality, be such mail? I can think e.g. someone who would send a letter executing his “right to be forgotten”.
    I will have to explain to the others in the company which mail they will have to register and what will not be considered as “mail significant for the planning and operation of the ISMS/compliance with GDPR”, but I don’t really know the answer to that myself yet…

    2. I want to make a list per function/role in the company of all the responsibilities and tasks as described trough the policies and procedures. Is there already a template for this? I don’t find it in the kit.

    3. Also, is there a list of all ISMS related type of roles? As CISO, Senior Management, Compliancy Officer, DPO…?
Page 205 of 544 pages