Please select user.
There are no topics yet.
We are based in Canada but have clients and, to some extent, operate in the US, Australia, and the UK." Is it sufficient to specify conformance with PIPEDA as defined in Canada's Privacy Act or do we have a separate requirement in each country we operate in? Thanks
Is there any standard regulation to treatment from Server's decommissioning? I'm structuring the project scope and collecting data information regarding the regulations and information requirements that need to be observed before the definitive information discard. The project will be developing the new process to right server's decommissioning standard to be applied to all types of servers.
We bought your set of documents for the ISO27001 certification and are missing a template for business continuity management.
The auditor requires it (more than the emergency recovery plan) according to A.17.1.
Do you have something we can use?
I need to see information on how far apart a data center and a disaster recovery site should be. Can I find this in an ISO 27001 documents?
I have some customer requirements that I want to ask if they are already included in my scope or not. One set calls out Offshore requirements. We are a virtual company and everyone works remotely. I didn't plan to separate offshore vs. domestic work. Is that typical? Please let me know if these requirements will be fulfilled: I think these would be, but I don't quite understand Incident Response vs. Incident Plan vs. Incident handling - aren't these all covered by the same Policies and Procedures and part of the overall plan? IR-1.1 Develop policies and procedures for Incident Response. IR-6.1 Report security incidents to appropriate personnel or government authorities in a timely manner. IR-8.1 Develop a comprehensive Incident Response Plan for the organization. IR-5.1 Implement mechanisms for tracking and documenting security incidents. IR-4.1 Develop an incident-handling process for the organization. Does this have to be separate? Offshore-48 Complete a security assessment of the organization's offshore location(s) and/or third party's offshore location(s) annually. Offshore-20 Requires antivirus software to be active and up to date on workstations.
My company is a Telco. We are going to buy a revenue assurance and fraud management (RAFM) system. That system will take data from other Telco source systems (like switch, billing system etc.) and analyze for us and help us to find data exceptions. Is it a must that our RAFM vendor system comply with ISO 27001 certification. Or we can consider that it is simply a monitoring aiding tool and ISO compliance is not a must. Kindly advise. Thank you
Thank you for your email.
I have a few questions that you might be able to answer with regards to what we currently have and what do we need to fully comply with ISO 27001:2022
Our current situation are follows:
ISO 27001:2013 is valid from August 2021 to August 2024
First Surveillance/Maintenance Audit was completed
2nd Surveillance/Maintenance Audit is schedule for 2023
Recertification Audit is scheduled for 2024
The question is
Should we start implementing ISO 27001:2022 after the 2nd Surveillance/Maintenance Audit for ISO 27001:2013 and then apply for Certification Audit for ISO 27001:2022 in 2024?
Should we start implementing ISO 27001:2022 immediately and then apply for Certification Audit for ISO 27001:2022 in 2023? – is this even an option? Or we need to complete the 3-year cycle
Staff training course/certificate completed
ISO 27001: 2013 Lead Auditor Course
ISO 27001:2013 Internal Auditor Course
The question regarding this courses/certificate is in order to have ISO 27001:2022 Certification we will just need to take and course+exam on ISO 27001:2022 Foundation Course?
ISO 27001:2013 Lead Auditor Course + ISO 27001:2022 Foundation Course = ISO 27001:2022 Lead Auditor Course Certificate
ISO 27001:2013 Internal Auditor Course + ISO 27001:2022 Foundation Course = ISO 27001:2022 Internal Auditor Course Certificate
Also, last year 2021, our company purchase ISO 27001:2013 toolkit. Is there an upgrade option to ISO 27001:2022 and/or guidance on what document(s)/process(es) we need to change or document(s)/process(es) we need to create.
Hi, we are doing backup restore tests but we are unsure what records we should produce. Producing records of backup runs is easy, it is in the backup logs. But the backup restore test involves taking a backup copy, restoring it and then looking at the result. The person who did the restore can say it looks ok, all files are there and validate last DB entry but this control needs to generate a record, report or screenshot of some kind so we can be sure it was tested according to schedule.
I would be happy if you could shine some light to the best practice in this area. Thank you and best regards!
What is the scope of application of the quality standards because I don't know where to consult them.
NTC ISO/IEC 27000, NTC ISO/IEC 27001:2013, NTC ISO/IEC Guide 73:2002
Standard ISO IEC 27005 – 2009, COLOMBIAN TECHNICAL STANDARD NTC-ISO/IEC 27001
I just wanted to confirm with you some information regarding the dates that organisations can start certifying to the new issue of ISO 27001:2022. The transition period diagram that you have published in your blog states that organisations can start certifying to the new standard as of the 25/10/2022.
Does that mean Certification Bodies are already certified to the new standard and the Auditors are already qualified to audit organisations against the new standard's clauses and controls?
Or is it in fact a mistake in the transition diagram and the date should read 25/10/2023?