ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit AS9100 Product: EU GDPR Documentation Toolkit
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Third-party risk assessment questionnaire

    Can you pls share the link of third party risk assessment questionnaire?

  • Lead Auditor and implementer consultant

    Can someone be lead Auditor and implementer consultant at the same time?

  • Certifying ISO 270001 & 9001

    When certifying ISMS according to ISO 27001, what additional documentation do I need for ISO 9001 certification of QMS?

  • Risk assessment and treatment and business continuity plan

    1 - What is the best approach to assess risks where the treatment option would be to set up a business continuity plan?

    If a company has a risk register with two risks at the same level, for example, fire and flood. These risks both score the lowest likelihood and highest impact. Typically for IT companies, the likelihood matrix used for assessing risks have low scales, ie the lowest is 10 years+ compared to 100 years+. This is because technology changes rapidly so it is not beneficial to used scales with to high time span. By using these low scales a lot of environmental risks assessed will fall under the same likelihood even though fire will be more likely than a flood. So how can we justify where we want treatment option to be to document a business continuity plan where we see that we only want to create one for fire but not for flood even though they have the same risk level?

    Please note that these are only examples. We just need support on how we should go about justifying assessed risk where we see the treatment option is to create a business continuity plan.

     2 - And is there a good way to define what will go from risk register to business continuity plans based on impact and likelihood scales? Or will this always be an extra round of assessing from the risk register what needs to go to continuity plans?

  • Filling template List of Legal, Regulatory, Contractual and Other Requirements

    We acquired the ISO 22301 Documentation Toolkit some time ago and just started to implement the ISMS for our company. I was delegated the project manager role for this project and as this kind of project is completely new to me, I’m not sure whether I understand everything correctly. Right now we are at the stage of identifying the requirements and expectations of interested parties and I expect that people I’m about to interview will have trouble formulating their needs. I anticipate them going into much technical details about defining SLA, RTO, and RPO for their related Information Systems which, as I understand, must be done later. However, I’m not sure what can be mentioned as requirements and how to help interested parties formulate their requirements. Could you please share some experience, maybe in a form of real-life examples, for filling up the “List of Legal, Regulatory, Contractual and Other Requirements”, with the focus on internal Information Resource owners’ requirements?

  • Templates content

    I’ve looked over the policy and found most of the topics I was looking for. However, I can’t see where the topics below would be covered—can you clarify?

    Document retention
    Individual user agreement (employee agreement/ responsibilities, often attached to hiring documents)
    Reporting InfoSec Weaknesses and Events
    Responding to InfoSec Reports
    Rules for Use of E-mail

  • Applicability of training for suppliers' employees

    Is it absolutely necessary to train selected employees of our suppliers (Chapter 3.4 Training and Awareness) if the risk out of the risk assessment table is very low? Is it in that case described before possible to delete control A.7.2.2 from the security policy for suppliers?

  • Management of supplier relationships

    I have a question about A.15_Supplier_Relationships, the toolkit doesn't really provide an excel or something to mage your Supplier Relationships. What is your suggestion on this topic?

  • HR policy for personnel security

    I need to produce an HR Policy that covers Personnel Security. This policy needs to cover:

    - Identity proofing
    - Qualification checks
    - Previous employment checks
    - Criminal records checks/police check
    - Employee obligations
    - Separation of activities
     
    I have reviewed the entire document set that I have purchased and I cannot find a policy such as this one in the mix.

    There is a section on Human Resource Security – but there is no policy – just the confidentiality statement and the statement acceptance.

  • Internal audit

    I have a question related to BC/ISMS certification.
    To accomplish clause 9.2 Internal Audit, is it acceptable to conduct internal audits at planned intervals with an External Audit compañy or it MUST be internal?
Page 215 of 544 pages