ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 9001:2015 ISO27001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO/IEC 27701 Privacy information management standard

    I just viewed the ISO/IEC 27701 Privacy information management standard (First edition 2019-08) and I have learned that there are more than some minor modifications. In the Advisera documentation kit ISO27001/GDPR, I do not see (yet) anything about this. 
    Do you have an idea how to best deal with this, I do not find anything on the Advisera website about it (unless I have overlooked something)? Will there be a publication and/or webinar/additional documentation available (can be payable) in the near future from Advisera part?"

  • Action plan for non-conformity

    How to prepare an action plan after external auditor has given minor NC?

  • E-mail use

    I have the following question regarding a decision which impacts the ISO27001:

    The owner/management (small company) has a company e-mail addresses. The owner does not like working with the company e-mail solution, so he wants to automatically forward the incoming e-mails from his company inbox to his private email account (with Gmail). Additionally, he wants to send E-mails from his private email account where the sender will be shown as his company email. The use of private email addresses is generally prohibited (currently implementing policy for employees etc.). Is it possible to create an exclusion in the policies for the owner/CEO and what other implications does this e-mail forwarding/relay have with regard to the ISO27001 certification? The whole company is in the ISMS scope, but not the mentioned private email account.

  • Vendor risk management career

    I am in the process of building my career into Vendor Risk Management so wanted to check on what could help me be a better auditor and how to achieve my Goal.

  • Audit planning

    Hi, I am an IT Audit Manager at XXXX and XXXX maintains 3 different ISO 27001 certifications on different continents. There are only 2 of us working on ISO internal auditing and we are finding that testing all of the controls for 3 programs is no longer feasible, even if we divide them up over 3 years. Is it actually required that every control is tested by internal audit every 3 years? Or is there an easier way? How do other companies do this? Any help you can give would be appreciated.

  • Filling template

    1. Hello, in which document is my question: "Method for identifying requirements“ (chapter "02" of the toolkit). Where inside the document is my question: "5. Management of records for this document“ Column 4: Measure to protect the recording. The record will be the "list of requirements“. The defined measure to protect the recording doesn’t make sense to me (the German version): "Nurfalls [Stellenbezeichnung] zur Bearbeitung von Daten berechtigt ist“. Can you please explain that to me?
    2. My question is inside chapter 4 of the method for identifying requirements. How does the annual assessment of the ISMS compliance with the requirements take place? What proof is required for this?

  • Third-party risk assessment questionnaire

    Can you pls share the link of third party risk assessment questionnaire?

  • Lead Auditor and implementer consultant

    Can someone be lead Auditor and implementer consultant at the same time?

  • Certifying ISO 270001 & 9001

    When certifying ISMS according to ISO 27001, what additional documentation do I need for ISO 9001 certification of QMS?

  • Risk assessment and treatment and business continuity plan

    1 - What is the best approach to assess risks where the treatment option would be to set up a business continuity plan?

    If a company has a risk register with two risks at the same level, for example, fire and flood. These risks both score the lowest likelihood and highest impact. Typically for IT companies, the likelihood matrix used for assessing risks have low scales, ie the lowest is 10 years+ compared to 100 years+. This is because technology changes rapidly so it is not beneficial to used scales with to high time span. By using these low scales a lot of environmental risks assessed will fall under the same likelihood even though fire will be more likely than a flood. So how can we justify where we want treatment option to be to document a business continuity plan where we see that we only want to create one for fire but not for flood even though they have the same risk level?

    Please note that these are only examples. We just need support on how we should go about justifying assessed risk where we see the treatment option is to create a business continuity plan.

     2 - And is there a good way to define what will go from risk register to business continuity plans based on impact and likelihood scales? Or will this always be an extra round of assessing from the risk register what needs to go to continuity plans?
Page 214 of 544 pages