ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit AS9100 Product: EU GDPR Documentation Toolkit
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Time dedication to work on the implementation project

    I work for a StartUp and we develop an android application of XYZ. We are interested in implementing ISO 27001 but we have some interrogations on how much time it takes. Your solution with a tool kit is a very good option because it is cheaper than a consultant and we can't imagine going on the ISO journey alone! During the webinar, you said that for a small organization (we are 2 in the US for the strategic part + a development team of 3 people in India) it can take between 5 and 8 months to implement ISO 27001. Can you tell me in this case with your tool kit how much time do you think the project leader should work on ISO during his week?

  • 27001 Scope Confusion

    Our company is doing a product-specific scope for ISO27001.  It's not clear to me how complex this will get to carve out the scope of the product when dealing with internal Shared services.

    For example, Corporate IT manage the laptops, office networking, and e-mail accounts of the engineers/administrators of the product.  But has no access to the network/servers of the product itself.  Compromise of their office networking, laptops, or corporate account may influence the security of the information/system in scope (stealing credentials, exploitation of trust, etc).  I know this depends on the auditor, but is it reasonable to state corporate IT process/procedures out of scope but still a dependancy?

    Dialing this back though, nobody involved has a formal ISMS, nor a proper framework for policy/procedures/controls.

  • Inherent vs Residual Risk

    Considering the initial risk assessment is done taking into account controls already in-place, is it accurate to say that if these controls are sufficient, there should be no change between the inherent and residual risk score? Added to which, are there any circumstances where you would risk assess assuming NO controls?  You wouldn't approach a risk assessment for crossing the road with worst-case scenario at the outset, i.e. with a blindfold, earplugs and at rush-hour there is a high probability you will be killed?! That can't be your starting point or all risk assessments would be artificially skewed.

  • Accreditation bodies for training providers

    I wonder if I can be cheeky and ask your advice, I am looking to study for my ISO27001 lead auditor certification, I see there are a couple of different certification bodies. Would you say the IBITGQ certification holds the same weight as the others or should I look to the others? Thanks in advance for your advice.

  • ISO 27001 Implementation Committee

    I was hoping to ask you which parts of an organization would sit on the ISO 27001 Implementation Committee for a company?
    HR/ Legal / IT representatives / Security personnel for example

  • Justification in the SoA

    Hi, I have some questions about the "Justification for selection / non-selection" in the SoA:
    1. Some of the Annex A clauses are worded as if they are mandatory; for example, 5.1.1: "A set of policies for information security shall be defined [...]". Is it acceptable to justify selection on the basis that this is a mandatory element of 27001?
    2. We have multiple risks associated with the same vulnerability (as expected); for example, the vulnerability “inadequate protection from unauthorized access” occurs many times. Is it acceptable to justify on the basis of 'All risks associated with “inadequate protection from unauthorized access”' rather than itemize each risk?"
     

  • Recommended file/folder structure

    Is there a recommended file/folder structure best practice for ensuring quick access to live and most frequently used documents? Is there a recommended resource for templates for Access control matrices, asset registers, etc. for SharePoint / Office 365?

  • Management review

    I have a question about the Management evaluation protocol.
    My question is about documents that need to be checked during the meeting.
    "Documents or descriptions of monitoring results and analysis of evaluation measures“. Can you please explain that fact to me? I don’t understand that.

  • ISO 27000 definition

    It has been a long time.  I have been reading one of the articles from Rhand Leal and it is causing me concern.  Advisera is a good source but when your recommendations run counter to my advice to my customers I need try and fix that.

    I know everyone has a different take on what security incidents and events are.  Rhand Leal’s article is very difficult to reconcile with my recommendations.

    My definitions:

    Security Events are events: Things that are logged by tools like Event Monitor on Windows:

    Successful logins are events just like unsuccessful logins are, access to files are events, locking and unlocking a screen is an event.  In the analog-world leaving a laptop unattended would also be an event

    When Rhand says that, an event has to be related to the possible failure of controls or “compromise of policies” is like saying that an incident is just a lot of events, or that all events are really junior incidents. I think that is really incorrect.  Events are the data upon which you can determine if controls are effective or not but events by themselves have no positive or negative connotations.  A door being opened with a LEGIC Card is an event, If the person with the card is not authorized then it is an incident.

    A security incident I agree can be an event or group of events that indicate a compromise of business operations (Confidentiality, Availability, Integrity).  Example would be a door being opened with a valid key by an unauthorized person.

    For me, non-compliance is something, which is not in accordance with a standard or policy.  Sometimes a non-compliance can actually identify an obsolete standard. Just an example would be the conflict between Password policies and the newest recommendations from NIST, (e.g. changing passwords every 90 days is no longer recommended procedure).

    For me, the preferable category is “weakness”.  Usually, if not always, a valid non-compliance will identify a weakness.  A weakness being the state of affairs that promotes an incident. Examples of weaknesses would be missing patches. Another example would be insufficient Awareness trainings.  Basically, a weakness could be the lack of any relevant security control.

    So with that could you (or Rhand) try and convince me that I am wrong or get Rhand to change or delete his post.

    Thanks in advance.

  • iso27001 LI course with the workshop / which certificate do you provide?

    I am interested in the iso27001 LI course with the workshop on the 22nd of November. However, I can only take this course if you are an accredited CB as I need the certificate to be issued from an LI course provided by an accredited CB.

    Are you an accredited CB. Or do I get any certificate for this course provided by an accredited CB?

    Does your course match my needs to get the right certificate?
Page 208 of 544 pages