Get a 20% discount on the first year of the Company Training Academy annual plan.
Limited-time offer – ends April 24, 2025
Use promo code:
CTA20

ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 9001:2015 ISO27001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk based calculation

    Why is risk only calculated based on Phycial Assets? What about best practices and processes and controls that are missing in an entity and causing risk?? Example HR practices, Asset practices. Does the CIA apply here?

    Can I not calculate Risk along the same columns of controls defined in SOA and create another Risk assessment sheet for other Assets like Hardware mostly under CIA.

  • Inquiry

    I have two statements I have come across in information security that are kind of confusing me.

    High level controls and Low level controls. I have noticed you rarely use them in your trainings or blogs but I need to understand what are they and how they apply to annex-a of ISO 27001. 

    With some examples, kindly advise how the hierarchy of Annex A controls, and if it's really necessary to have a hierarchy.

  • ISO 27001 EA Codes

    I was trying to find out if EA Codes are required or part of ISO 27001?

  • Disaster Recovery and Business Continuity Testing

    Hello,

    Within ISO is there any stated requirement of how often you should test your back-ups, sequel data bases, etc..  Annually, quarterly, yearly?  Also, for BC testing and exercises?  

     

    Thank you,

  • Clarification on ISO 27001:2022 certification

    Good day. In the context of the current implementation of ISO 27001:2022, and towards certification, I ask if guidance may please provided, regarding the following: We are a company of around 60 employees. We are working towards implementing the standard throughout the company; and risk assessment has been done accordingly. We have come across a doubt, however. While our line of business includes manufacturing and also services providing, we also plan to offer a cloud-based platform, accessible to customers via access credentials, where they can access information related to the equipment/services we provide.

    1 - From the implementing/certification point of view, shall the described be considered globally, all included in the implementation/certification, or rather, is it possible or advisable to separate them? I.e., consider the platform separately, with its own certification.

    2 - If they were to be separate, how would this even be managed in Conformio?

  • Revision of assignment

    I’ve worked hard to document processes and policies but I’m afraid that our organisation might not be ready in time for the revision. That might lead to us having to update our documentation according to the 2022 version and therefore be even more delayed. I do understand that we will have to update eventually but I had hoped that we would be certified by this summer.

    A question might be, if I have documented a process but we are not quite there yet practically, would it be an idea to identify this in a risk analysis with a timeframe? If it is not a critical risk that is.

  • Setting up and passing the audit

    As we have two entities, one in Site A operating under the supervision of the regulator and 2nd in Site B providing services for the Site A entity, a few things to clarify:

    1 -Is the setup, documents, actions etc. enough for both entities, or I will have to prepare two different setups?

    2 -Also do we have to pass an audit to certify both entities or only the regulated body is enough?

  • Outsourced development

    I am struggling with the definition of outsourced development at the moment and seek advice.

    My CTO’s view is that we do not have any outsourced development which , if true, would mean that we should be able to exclude A.14.2.7. But I am not really sure what I think. We have a small team of developers in another country (Poland) hired by a consultancy firm. We have a dedicated Team leader (hired by us) leading that team (operationally) and the developers in the team are otherwise handled as any other developer in our organisation. Most of them being consultants, the only thing that differ is that the team in Poland is hired by a third party. They follow the same processes, use the same information (located in the management system) and are monitored in the same way as all other developers in our organisation. They are a part of our internal communication with department meetings, company meetings, using our organisations MS Teams etc). They have the same access (depending on their role and their need) and are added in our people register as any other consultant. This is the reason to why we are saying at the moment that we don’t have Outsourced development. But is this enough? Or are we, just because we are using a third-party firm to supply these developers by fact having an outsourced development?

    Really appreciate if you take time to read my question and any help to become a bit wiser in this =)

  • How would ISO 27001 help secure system from ransomware attack?

    How would ISO-27001 help secure a system from a ransomware attack for example WannaCry?
Page 26 of 544 pages