ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4149
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 ISO 9001 Risk Assessment Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Certification ISO 14001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 EA Codes

    I was trying to find out if EA Codes are required or part of ISO 27001?

  • Disaster Recovery and Business Continuity Testing

    Hello,

    Within ISO is there any stated requirement of how often you should test your back-ups, sequel data bases, etc..  Annually, quarterly, yearly?  Also, for BC testing and exercises?  

     

    Thank you,

  • Clarification on ISO 27001:2022 certification

    Good day. In the context of the current implementation of ISO 27001:2022, and towards certification, I ask if guidance may please provided, regarding the following: We are a company of around 60 employees. We are working towards implementing the standard throughout the company; and risk assessment has been done accordingly. We have come across a doubt, however. While our line of business includes manufacturing and also services providing, we also plan to offer a cloud-based platform, accessible to customers via access credentials, where they can access information related to the equipment/services we provide.

    1 - From the implementing/certification point of view, shall the described be considered globally, all included in the implementation/certification, or rather, is it possible or advisable to separate them? I.e., consider the platform separately, with its own certification.

    2 - If they were to be separate, how would this even be managed in Conformio?

  • Revision of assignment

    I’ve worked hard to document processes and policies but I’m afraid that our organisation might not be ready in time for the revision. That might lead to us having to update our documentation according to the 2022 version and therefore be even more delayed. I do understand that we will have to update eventually but I had hoped that we would be certified by this summer.

    A question might be, if I have documented a process but we are not quite there yet practically, would it be an idea to identify this in a risk analysis with a timeframe? If it is not a critical risk that is.

  • Setting up and passing the audit

    As we have two entities, one in Site A operating under the supervision of the regulator and 2nd in Site B providing services for the Site A entity, a few things to clarify:

    1 -Is the setup, documents, actions etc. enough for both entities, or I will have to prepare two different setups?

    2 -Also do we have to pass an audit to certify both entities or only the regulated body is enough?

  • Outsourced development

    I am struggling with the definition of outsourced development at the moment and seek advice.

    My CTO’s view is that we do not have any outsourced development which , if true, would mean that we should be able to exclude A.14.2.7. But I am not really sure what I think. We have a small team of developers in another country (Poland) hired by a consultancy firm. We have a dedicated Team leader (hired by us) leading that team (operationally) and the developers in the team are otherwise handled as any other developer in our organisation. Most of them being consultants, the only thing that differ is that the team in Poland is hired by a third party. They follow the same processes, use the same information (located in the management system) and are monitored in the same way as all other developers in our organisation. They are a part of our internal communication with department meetings, company meetings, using our organisations MS Teams etc). They have the same access (depending on their role and their need) and are added in our people register as any other consultant. This is the reason to why we are saying at the moment that we don’t have Outsourced development. But is this enough? Or are we, just because we are using a third-party firm to supply these developers by fact having an outsourced development?

    Really appreciate if you take time to read my question and any help to become a bit wiser in this =)

  • How would ISO 27001 help secure system from ransomware attack?

    How would ISO-27001 help secure a system from a ransomware attack for example WannaCry?

  • Information security policy review

    How do information security incidents impact information security policy (approved by Top Management)?

  • Residual Risk Question

    The risk assessment and treatment plan output document includes only the risk rating before the measures to mitigate risks. The auditor would like to see the measures taken to mitigate risk and the residual risk level in the output document. This information is available in the software but not in the pdf created by Conformio.
    Could you please add this information to the pdf document?
Page 25 of 542 pages