ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 9001:2015 ISO27001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Remote audit

    Hi - I am getting ready to conduct an ISO 27001:2013 internal audit of an organization. The plan was to conduct onsite visits in other countries. Question: Can I conduct a remote audit if possible?

  • Risk assessment

    A question about Risk Assessment: we're a small company (5 full time, 2 part-time staff). It would be simpler for us to say that the Information Security Officer is the asset owner for all assets. Is there a problem in doing that?

  • ISO 22301 book

    Sorry to disturb you I'd like to ask you if the 22301 book on amazon is related to 2019 version or 2012 thanks

  • ISMS documentation

    How do I construct an ISMS document and supporting documents?
    My management is not in agreement to do Business Impact Analysis Worksheet and Risk and opportunities Register to proceed.
    How can I convince them to do so?
    I need your continuous support in managing ISMS to achieve certification.

  • Template content - List of Legal, Regulatory Contractual requirements

    Now I have 2 questions if you could help me with these:

    If I choose to use: 02.1 Appendix 1 (List of Legal, Regulatory Contractual requirements) right at the start of the Project (because also Annex A 18.1.1. control is likely to be applicable), could you explain me:

    • 1. How detailed description should be used when documenting “legislative, regulative and contractual requirements”? I mean do you need to write down the Act of the suitable law and name every individual contract and its points (vendor name, contract point and description of the matter)?
    • 2. What does the standard mean to “identify and document organizations approach to these meet these requirements”?

  • Templates content

    Hi, which templates cover the following ISO 27001 clauses?

    A.8.3.1
    A.12.5.1
    A.12.6.1

  • Templates content - RTO and RPO

    Today we bought the toolkit BIA according to the  ISO 22301:2012 version of the standard. But, checking the document  I cannot identify the  (RTO and RPO)  values.
    These values are very important for us because our customer is requesting as a part of the BIA report.
    How can identify,  relating or include these values in the Excel questionnaire?

  • Templates and applicable controls

    I have downloaded the Files saved under my Project. I have a Question here. Since there are around 114 Controls listed in the ISO 27001 Manual, do we here have each Template for each Control or one Template can be used for the documentation of the multiple Controls. For e.g you find attached the A.8.2 Template for the Documentation and in the Documentation (IT Security Policy) the below text is mentioned. So the Question is whether is the attached Document only for A.8.2 Valid or it is valid for all the Controls mentioned in the below screenshot.

  • Corrective actions

    I do have one more question about best practices for ISO 27001 implementation regarding corrective actions.

    Let's assume the scenario:
     - We have implemented ISMS policy
     - During the internal audit, we have found out non-conformance to the policy in a specific area/control.
     
    We can take three decisions based on known risks:

    •  Register non-conformance and resolve it in short-term
    •  Register exception to policy for 6-12 months
    •  Modify policy since it was too strict

    The option to address it in short therm is always the best, but I want to find out the best practices for long-term solutions (option 2).

    Is it better to keep the non-conformance list or exception list and revalidate it every time?

  • SoA and supplier-related risks

    I have the following question:

    Company A rents virtual as well as complete servers from a hosting provider. On these severs a development company develops customized software for company A. The scope of the ISMS of company A covers the whole organization and therefore also the data and applications on the servers. Company A has no own software development.

    Question: Regarding 14.2.5, 14.2.6, 14.2.8, 14.2.9, can company A exclude these controls in the SoA and only apply 14.2.7, as the responsibility/risk is contractually transferred to the development company and company A does not have any own software development? The risk assessment has shown some risks with regard to the development process on the servers, but this has been treated by contractually transferring the liability to the solution provider and applying chapter 15 controls. Contractually the development company is responsible for maintaining the security of the servers. What would be the best approach here?
Page 209 of 544 pages