Get a 20% discount on the first year of the Company Training Academy annual plan.
Limited-time offer – ends April 24, 2025
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Lead Auditor certification
I obtained a certificate through Advisera.
I’m working at a certification body and am gaining experience.
But I understood I need to send my certificate somewhere to become accredited.
Can you please elaborate on that? -
Documentation hierarchy
I'm interested in applying MS documentation hierarchy according to ISO10013:2001; please address this and in relation to this now being a withdrawn standard.
-
Information Security Policy Creation
I would want to know examples of Information Security Objectives which are measurable. I am in the process of coming up with the IS Policy using your template.
-
Statement for logs retention periods regarding critical assets
Hi! I would like to know whether in ISO 27001 from 2022 there is a statement for logs retention periods regarding critical assets? I would like to know what are the minimum requirements (meaning minimum time periods) for keeping logs containing critical data.
-
ISM Policy
I am working on the ISM Policy and would like to know which other objectives we can put which are measurable besides the generic ones?
-
Custom Control Creation
Having operating system software and databases that are at the end-of-support life cycle is a serious and ever-present vulnerability in any IT operation. I do not find this vulnerability in Conformio. I then tried to create this vulnerability, but I could not find a suitable Control from the list that is presented for selection. Conformio does not allow me to create a new control. Software and Database maintenance updates would be an appropriate control. This also applies to the vulnerability of using software that is not current. Please advise how I should proceed to create this new vulnerability.
-
ISO 27001 certification
My company was certified on ISO 27001 in 2019 and re-certified in Oct 2022. I am now implementing Conformio to help me in the on-going maintenance of the ISMS for future audits. I have just completed setting up the risk register and risk evaluation. Based on the controls that we have put in place over the years, all the risks are at acceptable level. Our company business have been around for 30 years and we have a stable operating environment. Conformio shows a Warning message that there should be at least 10% Unacceptable Risk items to complete the Risk Register Step and to pass the certification.a) Is it necessary for me to artificially amend the risk evaluation to achieve the 10% Unacceptable risks?
b) Will the certification auditor not pass the certification audit if there is no risk treatment actions?
-
27001 query
Hi Dejan
*** is progressing with its Electronic Money Institution (EMI) licence with the Central Bank of YYYY.
Below is a query received from the Institution:
13.1(h) A detailed risk assessment in relation to its payment services, including fraud:
a. Please provide verification of the progress of the gap analysis the firm is undertaking against ISO 27001.Would you be able to advise if we conduct a risk assessment specifically of payment services to ID the gaps this may suffice for the Institution? Or is there another process we could do?
-
Asset Owner
Within the file 06.1_Appendix_1_Risk_Assessment_Table_27001_EN.xlsx, example given for laptops' Asset owner is "User".
Considering ISO 27002 recommendations, the laptop "User" seems not fitting the role of Asset Owner in accordance to ISO 27002:2022. May I know how to counter the auditor's response if he or she raise the concern?
-
Key Risk Management Plan template
In our ISO 27001 package is there a document template for a Security Risk Management Plan? or is this covered in 05_Risk_Assessment_and_Risk_Treatment? I couldn't see the document for a plan only assessment and methodology.