ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Best practice approaches related to the Asset Inventory

    One question, could you please recommend any best practice approaches related to the Asset Inventory when it comes to SaaS accounts we have (shall those be listed in there or not, as we do not actually own the asset/account)?

  • Difference between controls

    I do not understand is the difference between controls to be assigned based on risk assessment (and risk treatment) and controls to be implemented based on Information security policy.

  • ISO for reputation management

    I'm revisiting the question if an ISO exists for reputation management (not to be confused with consumer feedback online review management) please?

  • Location scope with renters & NDA

    We have a small office and rent a room in the middle of our office to one of our primary supliers. They have access to all other areas of the office.  Is this problematic for ISO 27001 Certification? In the scope when discussing physical location - do I just exclude that room from the scope and make sure we have an NDA in place with them?  

  • Comprehensive Information Security Implementation

    What impact do the other 27000XX Standards have on a comprehensive Information Security Implementation for example 27701?

  • External Documents and the acceptable handling thereof

    thank you for your reply and your colleagues comments.

    I am still unsure about the external Documents and the acceptable handling thereof.

    External Documents: 

    Our Servicedesk registers documents within its tracking system.

    Do I need to keep an explicit record or may I argue that I can request any registered document from our Servicedesk? 

    I require advice which external  documents are required for the ISMS. Your colleague wrote:

    “Examples of external documents are laws and regulations you need to comply with, documentation sent by your customers or suppliers, etc.

    The identification of such documents can be made during identification of ISMS requirements and risk assessment.” 

    The only external documents that we identified as pertaining to our ISMS might be the auditors reports and certificates.

    Which “identification of ISMS requirements and risk assessment.” Is your colleague referring to?

    I leave my questions at that,

    I am looking forward to some clarification and will  continue from that.

  • Requirements for ISO 27001 Certification

    We are planning to implement ISO 27001 requirements in one of the BUs in the organization. However, before we start, we have heard that it requires a BU / organization to be operational for 1 year before applying for the certification. We are relatively a new BU and have a plan to complete the implementation and apply for certification before 1 year of operations.

    Can you please guide me, if this is valid - If we don't complete one year of operations, we are not eligible to apply for the certification?

  • Secure System Engineering Principles

    I am interested in the Secure System Engineering Principles and what level of documentation is required?

  • ISMS Risk Survey

    Como alinear el levantamiento de Riesgo de SGSI con otras unidades de mi organización, para hacerlo en conjunto, por ejemplo con finanzas, proceso, etc. Se podría dar riesgos en común?

    How to align the ISMS risk assessment with other units of my organization, to do it together, for example with finances, process, etc. Could you give risks in common?

  • Information security policy

    We have developed IS polices and Procedures recently and as per our company rules, procedures shall be approved by CEO and policy by BOD. The management said tat the information security polices shouldn't be a policy yuo should name it procedure
    and now i need evidence from ISO 27001 saying that we must have a policy.

Page 3 of 448 pages