ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4149
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 ISO 9001 Risk Assessment Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Certification ISO 14001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Information Security Policy Creation

    I would want to know examples of Information Security Objectives which are measurable. I am in the process of coming up with the IS Policy using your template.

  • Statement for logs retention periods regarding critical assets

    Hi! I would like to know whether in ISO 27001 from 2022 there is a statement for logs retention periods regarding critical assets? I would like to know what are the minimum requirements (meaning minimum time periods) for keeping logs containing critical data.

  • ISM Policy

    I am working on the ISM Policy and would like to know which other objectives we can put which are measurable besides the generic ones?

  • Custom Control Creation

    Having operating system software and databases that are at the end-of-support life cycle is a serious and ever-present vulnerability in any IT operation. I do not find this vulnerability in Conformio. I then tried to create this vulnerability, but I could not find a suitable Control from the list that is presented for selection. Conformio does not allow me to create a new control. Software and Database maintenance updates would be an appropriate control. This also applies to the vulnerability of using software that is not current. Please advise how I should proceed to create this new vulnerability.

  • ISO 27001 certification

    My company was certified on ISO 27001 in 2019 and re-certified in Oct 2022. I am now implementing Conformio to help me in the on-going maintenance of the ISMS for future audits. I have just completed setting up the risk register and risk evaluation. Based on the controls that we have put in place over the years, all the risks are at acceptable level. Our company business have been around for 30 years and we have a stable operating environment. Conformio shows a Warning message that there should be at least 10% Unacceptable Risk items to complete the Risk Register Step and to pass the certification.

    a) Is it necessary for me to artificially amend the risk evaluation to achieve the 10% Unacceptable risks?

    b) Will the certification auditor not pass the certification audit if there is no risk treatment actions?

    c) What is your recommendation?

  • 27001 query

    Hi Dejan

    *** is progressing with its Electronic Money Institution (EMI) licence with the Central Bank of YYYY. 

    Below is a query received from the Institution: 

    13.1(h) A detailed risk assessment in relation to its payment services, including fraud: 
    a. Please provide verification of the progress of the gap analysis the firm is undertaking against ISO 27001.

    Would you be able to advise if we conduct a risk assessment specifically of payment services to ID the gaps this may suffice for the Institution? Or is there another process we could do? 

  • Asset Owner

    Within the file 06.1_Appendix_1_Risk_Assessment_Table_27001_EN.xlsx, example given for laptops' Asset owner is "User".

    Considering ISO 27002 recommendations, the laptop "User" seems not fitting the role of Asset Owner in accordance to ISO 27002:2022. May I know how to counter the auditor's response if he or she raise the concern?

  • Key Risk Management Plan template

    In our ISO 27001 package is there a document template for a Security Risk Management Plan? or is this covered in 05_Risk_Assessment_and_Risk_Treatment? I couldn't see the document for a plan only assessment and methodology.

  • Risk based calculation

    Why is risk only calculated based on Phycial Assets? What about best practices and processes and controls that are missing in an entity and causing risk?? Example HR practices, Asset practices. Does the CIA apply here?

    Can I not calculate Risk along the same columns of controls defined in SOA and create another Risk assessment sheet for other Assets like Hardware mostly under CIA.

  • Inquiry

    I have two statements I have come across in information security that are kind of confusing me.

    High level controls and Low level controls. I have noticed you rarely use them in your trainings or blogs but I need to understand what are they and how they apply to annex-a of ISO 27001. 

    With some examples, kindly advise how the hierarchy of Annex A controls, and if it's really necessary to have a hierarchy.
Page 24 of 542 pages