Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Mandatory and non-mandatory documents
I saw your documentation on mandatory and non mandatory documents. I want to know like how do we decide something is mandatory or not like for 7.2 Competence - there is no document in your templates... how will the auditor assume this is non-mandatory? -
Toolkit content
1 -In the toolkit, I noticed that there’s no policy, or a reference to a policy, for each control in Annex A (f.e. A.11.1.6 Delivery and loading, or A.11.2.3 Cabling security etc.). So I’m wondering if we can leave such things easily out of the ISO27K scope and so leave it out of the SOA ? Or should we include it in a policy or write a separate document about these things ? Or is it just enough to write a short answer in the SOA how this is implemented. -
Implemented controls
What percentage of controls in SoA you typically see are implemented out of risk assessment ? Organizations usually have lot of controls within 114 already implemented as best practice or due deligence or requirement for legal compliance. Is 25% is what you observe generally? Does that have any value in certification?Like how many controls implemented due to risk mitigation. -
Filling templates
We've purchased your toolkit and I'm having some issues to fill out the document for List of Legal Regulatory Contractual and Other Requirements. Could you please give me some guidance on it? What I actually need is some explanation about how to fill this out. I've listed the interested parties but I'm confused about the other columns. What exactly should I put on: Requirement, Document stipulating the requirement, Person responsible for compliance andDeadlines? -
ISMS manual
During my last ISO 9001 external audit, the auditor mentioned that there is now no real need for a Quality Manual. I’ve also come across comments that this applies to the ISMS as well. What are your thoughts on this? -
Access profiles
I would like your guidance as I populate the following tables in the Access Control Policy. Specifically Section No 3. On Access Control. -
Scope of information security
Does the ISMS include the information security for the hardcopies? For Example, if the company collects hardcopies application form contained PII, Are the risks controls applicable to handle information security for application forms? Many people seems considered the ISMS only covered the security for removable media or electronic format. Can you share your views? -
Documentation update
How often should a company publish its ISO policies and procedures? Should it be done every time a policy or procedure is revised/modified? -
Physical security and human resources policies templates
Please do you have to share some physical security and human resources policies templates? -
ISO and COBIT
I have some question to ask you related to risk assessment as below: