Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

ISO 27001 & 22301 - Expert Advice Community

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • ISO 27001 Package of Documents

    In our pack of documents I was looking for a Policy on Privacy and Protection and any procedures that are in our pack but couldn't see anything, are you able to help?

  • Initial Risk Assessment Non-conformity

    At our last surveillance audit our assessor raised a non-conformity on the basis that our initial risk assessment, showing many of the risks as being acceptable i.e. scoring less than 3, did not show any justification for why we made that assessment and Conformio doesn’t require that. Our assessment would have been based on the controls etc already in place at that time.

    Obviously, you are of the view that when making the initial assessment, it’s not necessary for us to record why we make that assessment.  What is the reasoning behind this?

  • ISO 27001 / ISO 22301 Tools for Consultants in German

    I'm currently working with your documents and came across the following issue:

    In the overview of all documents (pdf) there are links from the different documents to the relevant sections of the standard/norm. 

    If I turn around this linkage, I'm surprised that there is no link to any of the documents for the following Appendix A controls: 

    A.5.1 Informationssicherheitsrichtlinien
    A.5.2 Informationssicherheitsrollen und -verantwortlichkeiten
    A.5.3 Aufgabentrennung
    A.5.6 Kontakt mit speziellen Interessensgruppen
    A.5.8 Informationssicherheit im Projektmanagement
    A.5.34 Datenschutz und Schutz personenbezogener Daten (pbD)
    A.5.36 Einhaltung von Richtlinien, Vorschriften und Normen für die Informationssicherheit
    A.7.1 Physische Sicherheitsperimeter
    A.7.2 Physischer Zutritt
    A.7.4 Physische Sicherheitsüberwachung
    A.7.5 Schutz vor physischen und umweltbedingten Bedrohungen
    A.7.8 Platzierung und Schutz von Geräten und Betriebsmitteln
    A.7.11 Versorgungseinrichtungen
    A.7.12 Sicherheit der Verkabelung
    A.7.13 Instandhaltung von Geräten und Betriebsmitteln
    That means those controls wouldn't be handled anywhere in the future ISMS documentation !?

    Can that be true?

  • 22301 certification

    We had ourselves certified according to ISO 27001 this year, which also includes a “small” BCM. How big is the additional effort if you want to be certified according to ISO 22301? So it's not the costs incurred by the certification body but rather the internal costs?

  • Toolkit documents

    Forgive my zero knowledge of ISO2001. I am doing the audit finding but didn’t find the template I needed in the Toolkit. 

    Example:- 

    Subject: Information security roles and responsibilities.
    Description: All information security responsibilities shall be defined and allocated.

    Thank you in advance.

  • Where is your Continual Improvement policy template?

    We bought your full 27001 toolkit but I can't find the Continual Improvement policy template.

    Most consultants think it is a mandatory doc, do you think it's not required for the certification?

  • Exclusions of the ISMS scope

    If a unit in the organization (let us say HR) is excluded from the scope, there is a dependency between HR and other units (for example, HR is responsible for recruitment and training). Although HR is excluded from the scope, it still provides training for employees of other departments that are included in the scope. In this case, HR should be considered an external third-party provider to the other organizational units that are included in the scope, which means that HR should be controlled as a supplier.

    What do you think?

  • Creating the Register of Legal, Contractual, and Other Requirements

    I'm in the process of creating the Register of Legal, Contractual, and Other Requirements.

    Q: how specific do I need to be? Is this where I list all our clients, suppliers, etc etc or do I give more top-line information and detail the specific interested parties later on?

  • TISAX and ISO 27001

    I hope this message finds you well. We are in plan to implement TISAX and ISO 27001. we have one IT staff member and there is a confusion on whether he should be sitting by himself in a secure office/area. My CEO requested to ask if the clauses or interpretations in either TISAX or 27001 specifically call for IT staff to have their own office area. Our Current IT staff is sharing the office with a member from purchasing department.

Page 3 of 542 pages