ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Asset inventory and risk analysis

    Which and too and approach can I use to make my asset inventory and risk analysis in order to see which control I need to put in place?

  • Nonconformities, OFI's vs Low/Med/High Audit Gaps

    "I got ISO 27001 certified last year and extensively used your site for references and the courses and found the materia to be very valuable and easy to understand. I have successfully completed a number of ISO 27001 audits in an internal auditor role and still use your docs for reference.

    I am also CISA certified and the majority of my audits are IT General control audits where we rate gaps based on assessing impact and likelihood with ratings of low, medium and high.

    I was looking to find information on how major/minor nonconformities and OFI's would compare to the 'traditional' audit gap ratings of low, medium, high. Would you be able to provide some guidance?

  • Questions regarding EU GDPR & ISO 27001 Integrated Documentation Toolkit

    1. Regarding EU GDPR & ISO 27001 Integrated Documentation Toolkit:
    Does it cover also ISO 27701:2019?

    2. Does it cover also GDPR cases where EU customer personal data is processed outside of EU in a country like ***? (like using standard data protection clauses adopted by the EU Commission, etc?)

    3. Does there exist an employee contract template which takes into account GDPR?

    4. Does there exist a B2B contract template which takes into account GDPR when processing EU customer personal data in a country like ***?

    5. Does there exist a B2B contract template which takes into account GDPR when EU customer personal data is processed outside of EU in a country like ***??

  • ISO / IEC 38500 question

    Do you have any thoughts on the ISO/IEC 38500?

    Would we want to add this after our ISO/IEC 27001 that we are working on?

    Also, in regards to the ISO 22301, does this compliment the GDPR that we are working on?

  • A.9.2.5 Review of user access rights

    Hello Advisera Team, 

    a question to this control: A.9.2.5 Review of user access rights.

    What we need and what we have now there is that user access rights are reviewed when there is a change in employees status (e.g. department or position is changed).

    Is it enough or is periodical review meint here?

    Thank you!

  • Assets ISO 27001

    Hello Dejan,

    In the Appendix 1 in the toolkit I bought you are proposing some assets, I need to ask the whole company (management and so on) to give me a list of all the assets and mark whoever the ones that are more critical for our organization. But on what level should we specify the assets?

    For example, the ones you specified: 


    • Management
    • Employers
    • Part time external employers
    • External parties that visiting the organization

    Applications and databases

    • Applications (licenses)

    And so on.

    If we take some few real examples from our organization, should we specify detailed such as:

    *** (helpdesk software, critical for giving good support to our clients)

    *** (billing system for our cloud business)

    Or should this be classified as a broader category such as your examples? 

    Thank you

  • Audit

    Agradeceré puedan resolver mi siguiente consulta.

    Desde hace algunos meses compré el Paquete Premium de ustedes y he venido haciendo la preparación para que una empresa pueda certificarse en ISO 27001.

    Mi pregunta es: Hasta qué punto debo llegar para que la empresa Certificadora haga su auditoría ? Deben considerar que he cumplido todos los pasos exigibles y obligatorios por ISO 27001, habiendo llegado hasta al “Plan de concienciación y capacitación”. Solamente me está faltando los puntos de “Auditoría Interna”, “Revisión por la dirección” y “Acciones correctivas”…. Mi pregunta es, si estos 3 últimos pasos debo realizarlos obligatoriamente antes de pasar la Auditoría de Certificación.

    Debo resaltar que, en mi calidad de Consultor de la implementación de ISO 27001, no podría hacer una Auditoría Interna, debido a que no debo ser “juez y parte”.

    Que es lo que debo hacer o que me recomiendan ?

  • Business continuity management

    I want to ask if BCM applicable to be implemented in Pharmaceutical company for the aspect of continuity of products manufacturing

  • ISO 27017 training presentation

    I’m interested in training presentation for ISO 27017. I’ve looked in the ISO 27017/27017/27001 that received and there is no presentation for training.
    Do you have something to offer me?

  • Can ISO 27001:2013 be certified against multiple legal entities?

    We have multiple companies (different legal entities) and operating from the same location under the single owner. We would like to implement the ISO27001:2013 for all the different legal entities. All entities are under the same line of business.

    I would like to know whether we can implement the ISO 27001:2013 for multiple companies under the single scope? So that we can undergo for certification as a single unit?

    Let me know if you need more information.

Page 3 of 428 pages