Please select user.Assign
There are no topics yet.
We are ISO 27001 compliant and we have the GDPR controls in place as well. Last time we had an external audit, the auditor had suggested that while we mentioned the GDPR related risk in the ISMS risk assessment sheet the control numbers listed were not mapped correctly. Can you advise which of the Annex A controls are to be applied while we try to mitigate GDPR related risks? Also, do we have any other Annex for GDPR related risks controls?
Would this standard be applicable to a community non profit with regards to ensuring continuity?
I am new to the ISO 27000 series, and I would like to know where I will be able to find intermediary device security requirements In order to adhere to the ISO standards.
problem statement: an external auditor company did not include WFH or teleworking in their audit plan, but the company had already implemented an "ad hoc" WFH during this pandemic without consultation with employees and without government regulatory approval.
1 - can external auditor still considered this compliant and an ISO/IEC 27001 certification be awarded to the company?
2 - is there such thing as partial certification?
Hi, is it still allowed to perform a BIA for whole departments with the new 22301?
Our departments are:
22301:2019 says an activity is a set of tasks. 22301:2012 was an activity is a set of processes as far as i know.
The problem is for example our IT does a lot of things like User Support with Ticket System, running servers, VMs, server applications usw., Performing Backups
But they are only 2 system adminstrators. So when i perform a BIA for
the main ressources are the same like IT-Administrators, Physical Servers...
Makes no sense for me when i write a plan. 2 System administrators with x plans.
I also have the problem in other departments. They do a lot of things, but not all the time. Like 5-10 "Tasks/activitys" or how i should call it in each department. Same employees with partially the same applications. Ressources are desk, thin client, monitor, building and so on.
So when i make a bia the department boss has to define how much employees he needs after a disaster and when. But that's impossible to define, when the employees that perform these task are the same. Furthermore as the ressources are the same we have x plans and after 1 plan is implemented the whole department can nearly perform all these 5-10 tasks/activitys.
I need details on documents assets. Do we consider the employee information spreadsheet also an information asset? Or is just the agreements, contracts etc, which are considered as assets? Please clarify.
When the organisation is certified with ISO9001 and 27001, and have all the required policies in place. Now that we are in a pandemic what are the documentation changes we need to make in order to accommodate changes like work from home, health and safety etc.
I want to make an asset movement register, but not getting a perfect idea of how I can make it?
do we have any format!
My only requirement is , in my company when some asset like laptop need to move on another department so that in such cases what register we need to made.
When we get ourselves checked for surveillance of ISO 27001 standard, we do receive non-conformities. We perform a root cause analysis and corrective action plan for the non-conformities and work to conform them. I would like to know if you have a template to perform the root cause analysis like the fishbone method etc.
Is ISO 27001 relevant for clinical data management?