Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
What are the laws and regulations to be included in the ISO 27001 Register of Requirements?
I thought the ISO 27001 Register of Requirements should contain only laws and regulations on information and data security such as Personal Data Protection. I have seen examples of Companies Act, Employment Act, Taxation Act, etc. included in the Register. Why are these included as they do not relate directly to information security?
-
Questions about ISO certification
We have bought the “ISO 27001 documentation toolkit” and now we have some questions:
1. In the document “List_of_documents_ISO_27001_2013_Documentation_Toolkit_EN” there are check marks with asterisk: (e.g. #4): are they required at the ISO certification or can we decide if they concern us or not?2. The document “06_Statement_of_Applicability_27001_EN” has a list of the applicability of controls. How shall we decide which controls are important for us?
3. The head quarter and main company of ***, Inc. is in ***. We also have a subsidiary in ***, ***, and belonging 100% to ***. How do we have to proceed with the ISO certification? Is the *** certification enough for both companies? Do we need an extra chapter in the ISO certification for the *** subsidiary?
4. We need to set the confidentiality levels on all documents. Is the standard “for employee use only” for all documents good enough for certifier?
-
Questions ISO 27001
Good morning, is it possible to help me with the following Questions
1. Every information security policy must have at least one procedure associated with it.
2. Can security policies and procedures be written in the same document or should they be separate documents?
3. Should the strategic information security policies be in a separate document from the technical information security policies? or can they be in the same document?
4. What is the difference between Policies, standards and Procedures?
5. Should the person in charge of information security be independent from the area of information technology? Or can it be a person/Position that is part of the Information Technology area?
6. Can the technology leader also be responsible for information security?
7. Do you have any template (template) of how to write a strategic information security plan?
8. Can you send me examples of Major nonconformities and minor nonconformities?
9. Can the vulnerability tests of information assets be carried out by the same organization or must an external provider be contracted to carry them out?
10. Is an information security incident the Materialization of a security risk?
11. What is the difference between an information security event, an information security incident and an information security risk?
-
27001:2022 Query
Hi Dejan,
Regarding this article:
What's the difference between a Section and an Annex? (Is the Annex just an Appendix?)
ISO 27001 has 114 controls in Annex A - ISO 27002-2022 now has only 93, down from 114 - does/how does this affect the controls in 27001 Annex A - i.e. will they now be 93, not 114?
So will ISO 27001 become ISO 27002?
Also, in reality, how would a small company deal with the following:
A.5.7 Threat Intelligence - gather information and analyse them? (interpret)
Could this be outsourcing to AV/MDR or something else?
-
SoA update
I want to know how to convert ISO 27001:2013 SOA to ISO 27001:2022 directly, not from scratch?
-
Controls in new ISO 27001
Thanks for the Read Controls - are they being implemented too as new upgrade in industries or sectors where 27K1 is applied from 2022?!
-
ISO/IEC 27001 Implementation
I am working as ISO IEC 27001 Implementation consultant. I need your help in defining the products range which we can use to achieve ISO 27001 requirements and controls.
ISO 27001 can be achieved by very simple tools as Excel sheets or sophisticated tools which users are not familiar especially if we are speaking about medium and enterprise organization.
What are the tools which we can bind to ISO 27001 clauses and Annex A to give the customer the chance to choose from the different products and solutions to achieve the ISO 27001 certifications.
-
Change control document
In regards to the document, I have a few questions that I hoped you could help me answer.
In regards to change control, I noticed that your document only covers high level changes, however, our needs go deeper as far as controlling the changes in software, virtual machines and any other aspects of our technological and development environments.,
Could you assist me in tailoring this template for those needs in compliance with the ISO27001/22301?
-
Is ISO 27001 certification relevant for us?
I have a Ltd company, with only 1 employee and we deal with physical records storage in a warehouse. One of our clients has asked us to get ISO 27001 certification, but I don’t know if it’s relevant for us as I was under the impression it was more for IT security etc.?