Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Template content - information classification policy
Control A.8.1.1 is missing in reference documents of „Richtlinie_zur_Klassifizierung_von_Informationen_DE“. Inside the "Erklaerung_zur_Anwendbarkeit_DE" control A.8.1.1 includes the „Richtlinie_zur_Klassifizierung_von_Informationen_DE“ as implementation method. Would you mind telling me what’s correct? -
Awareness and training for secure software development
I have a question about the appendix of the policy for safe development - the specification of safety requirements. I try to add the appendix into the risk treatment plan. What is the measure for awareness and what is the method for evaluating results? Who will have access to the document?
-
Implementation of policies
We are now starting the implementation of Information Security ISO 27001. I am on the phase of preparing control implementation of the policies. I'm facing difficulties, with start working on it.
-
ISO 27001 toolkit - which standard is it compliant with?
What is the version of ISO 27001 that your documentation is compliant with?
-
ISO/IEC 27701 Privacy information management standard
I just viewed the ISO/IEC 27701 Privacy information management standard (First edition 2019-08) and I have learned that there are more than some minor modifications. In the Advisera documentation kit ISO27001/GDPR, I do not see (yet) anything about this.
Do you have an idea how to best deal with this, I do not find anything on the Advisera website about it (unless I have overlooked something)? Will there be a publication and/or webinar/additional documentation available (can be payable) in the near future from Advisera part?" -
Action plan for non-conformity
How to prepare an action plan after external auditor has given minor NC?
-
E-mail use
I have the following question regarding a decision which impacts the ISO27001:
The owner/management (small company) has a company e-mail addresses. The owner does not like working with the company e-mail solution, so he wants to automatically forward the incoming e-mails from his company inbox to his private email account (with Gmail). Additionally, he wants to send E-mails from his private email account where the sender will be shown as his company email. The use of private email addresses is generally prohibited (currently implementing policy for employees etc.). Is it possible to create an exclusion in the policies for the owner/CEO and what other implications does this e-mail forwarding/relay have with regard to the ISO27001 certification? The whole company is in the ISMS scope, but not the mentioned private email account.
-
Vendor risk management career
I am in the process of building my career into Vendor Risk Management so wanted to check on what could help me be a better auditor and how to achieve my Goal. -
Audit planning
Hi, I am an IT Audit Manager at XXXX and XXXX maintains 3 different ISO 27001 certifications on different continents. There are only 2 of us working on ISO internal auditing and we are finding that testing all of the controls for 3 programs is no longer feasible, even if we divide them up over 3 years. Is it actually required that every control is tested by internal audit every 3 years? Or is there an easier way? How do other companies do this? Any help you can give would be appreciated.
-
Filling template
- Hello, in which document is my question: "Method for identifying requirements“ (chapter "02" of the toolkit). Where inside the document is my question: "5. Management of records for this document“ Column 4: Measure to protect the recording. The record will be the "list of requirements“. The defined measure to protect the recording doesn’t make sense to me (the German version): "Nurfalls [Stellenbezeichnung] zur Bearbeitung von Daten berechtigt ist“. Can you please explain that to me?
- My question is inside chapter 4 of the method for identifying requirements. How does the annual assessment of the ISMS compliance with the requirements take place? What proof is required for this?