ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit AS9100 Product: EU GDPR Documentation Toolkit
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Penetration testing frequency

    I was just curious if either ISO 27001 and/or NIST controls specify the frequency for which (network and/or application) penetration testing should be performed?

  • Inventory of assets and Risk assessment

    1. I am having trouble finding out how these two documents are connected (are both needed?) 11.A.8.1_Inventory_of_Assets_Integrated 07.1_Appendix_1_Risk_Assessment_Table_Integrated In inventory of assets.

    2. How do we know how to assess "Impact/Consequences"? What do we base that rating on?

    3. And how do we transfer that rating to the Risk Assessment table

  • Controls for BYOD

    The issue is that not all employees have been granted a company-sanctioned device for accessing our office’s network. Policy-wise we have restricted them to only using RDP and that they must have anti-virus software on the machine they’re using to access our network, however, I feel this is not enough. I do not have as much experience in this area as others may have, so I’d like to know how do other companies deal with such a thing? Can we force our employees using their own devices to install an MDM software provided by the company so that we have some control over what’s connecting to our network? Is that the best route or will backlash/pushback from the employees being forced to install something they may deem intrusive actually work against us in this process? What about employees accessing our email system (office 365) on their personal phones – should we extend MDM and controls to those devices as well? Can/should we define a list of acceptable phones/operating systems to be used in our BYOD policy?

    Any insight you could provide here would be greatly appreciated. In a perfect world, I would issue each employee a company-owned laptop/phone to deal with this situation, however, we just do not have the budget to go that route.

  • Standards new versions

    I recently found out that the ISO27001/27002 and 22301 are all replaced by versions of 2017. How far is this different from the used 2013 version in all webinars and documentation?

  • ISO 27001 security aspects for logical security

    ¿Que aspectos importantes de la norma ISO 27001 puedo incluir para la seguridad lógica en una empresa en la cual laboro?

  • Risk assessment and risk treatment

    We already have the below-mentioned risk assessment template fields: 1. Main heading- Risk identification- Under this: Process, risk description 2. Main heading - Risk evaluation- Under this: Consequence, Likelihood, risk level, risk accepted( yes/No) 3. Main heading - Risk control- Under this: Existing risk controls, revised consequence, revised likelihood, residual risk after treating, effectiveness of existing controls, Risk mitigation option, Completion date, risk plan implemented ( yes/No/N.A) I would need some clarification for the last field after risk mitigation..i.e., risk plan implemented ( yes/No/N.A) Please clarify that in a high-level risk and a low-level risk should this option Yes/ No or N.A"

  • ISO 27001 implementation and budget

    I'm working for a university project, the subject is to price the security of a company whose main business is to give advice on cybersecurity. This company is located in 6 different nation (XYZ) with a total of 740 employees with the HQ in XYZ. I m aware that ISO 27001 is a main criteria today for a company because it can provide you some guidelines on what to protect and allows you to gain the audience thanks to the certification. But my main concern is to understand how to implement it?

    Where should I start with this certification, I mean I have a budget of XYZ USD and the main focus should be the protection of the confidential data. By seeking information on internet I can not gather enough information on the budget that I should enable for the company.

  • Filling template

    I got IT security Premium template. I don't understand a part what should I write in it.

    Connecting to communication networks and data exchange must reflect the sensitivity of data and is performed [specify how this is technically implemented, or make reference to a document defining the process] this point in the A8.2 IT-Security Policies.

    I would like to know what it is about exactly. What should I describe there?

  • Information security risk management and internal audit

    1. I purchased your Risk Assessment Table and Risk Treatment Table. I have completed this phase of the planning for our ISO Certification.  Now, once I have filled out the excel Spreadsheets does that count as my "Risk Report" for purposes of satisfying the mandatory document for Certification audit?
    My next step is the SOA correct?

    2. What course do you recommend so I can be prepared to do an internal audit and improvement for the ISMS for my company?

  • Expanding scope

    We did the certification audit last year on one function (customer support) and got the 3-year certificate. Since then we bought a company and would like to expand the scope to include the new company and also additional functions across both functions. do we need to 'start over' and recertify or is it possible to do the surveillance audit for year 2?
Page 216 of 544 pages