Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Application of controls, suppliers and HIPPA
I have few queries for which I request your help to boost my understanding of ISO 27001. -
Risk assessment report
Do you sell "Risk Assessment Report" that is mandatory in ISO 27001 template.We are using a tool to track risks, which has all the elements of risk life cycle. Do we still need a document as risk assessment report to show auditor? -
Toolkit's content
I was trying to do an excel file with all mandatory files and so on, to have documentation under control as much as possible, and a few questions arise mainly because I have two lists from the documentation toolkit and they somehow collide, and also regarding names of documents. Basically my doubts arise from the differences between the documents called List_of_documents_ISO_27001_Documentation_Toolkit_EN (which I will call LoD) and Checklist_of_Mandatory_Documentation_Required_by_ISO_27001_2013 (which I will call CoM). Someone said once that a man with a watch knows the time, but a man with two watches does't. Which document is the right one? -
Statement of Applicability
My questions revolve around Annex A - in what format do we use Annex A in documentation. Do we leave it as it is provided by the standard? Do we annotate our specifics into it? Is it an actual Annex to the main ISMS document? When I look at the Statement of Applicability - it is identical but used in an audit / gap analysis context. Does the SOA include Annex A, in which case it is Annex A or should they be kept separate? I think I understand the functionality of the main ISMS document and the SOA - I just dont see how Annex A is used without duplication of information with the SOA. -
ISO 22000 and ISO 22301
Whats the difference between ISO 22000 and 22301? I am a food safety Auditor and would like to train on a Food safety ISO dealing with Food safety and Hygiene. Please advise before I start on a wrong field or course irrelevant to my work. -
Scope extension
I need some tips in expanding the ISO 27001:2013 scope. We are certified but would like to extend the scope to include another entity of our firm. Could you please assist I’m sharing some tips of dos and donts to consider. Also, do I have to do the security metrics and risk treatment again? -
Toolkit content
Is there an overview that connects the individual toolkit documents to the controls of ISO 27001 Annex A? -
Processes periodicity
"processes that employees are doing on a daily or weekly basis."Please give me example for this type process. -
Controls application
Quick question, does ISO 27001 looks for one to one mapping of risks vs controls in SOA or I could come up with 1 risk in assessment and use 3 to 4 controls to mitigate risk? from SOA? -
Assessing the C-I-A of assets
Q1: For a smaller company can we choose not to assess the risk of an asset based on Confidentiality / Integrity and Availability.