Get a 20% discount on the first year of the Company Training Academy annual plan.
Limited-time offer – ends April 24, 2025
Use promo code:
CTA20

ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 9001:2015 ISO27001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Procedure for document and record control

    Hello,

    Good Morning,

    could be tell me what do you guys excatly want from the Procedure for document and record control document ? 

    in details please + I got couple of questions too, my scope is the whole organization, " This procedure is applied to all documents and records related to the ISMS ", so in my case is it all company's documents ? 

    Document approval 

    I understood that the CEO must approve all documents and is there something else ?

    3.3. Publishing and distributing documents; withdrawal from use

    There are some parts conformio is mentioned there I dont thing this is a professional way for the word " confirmo " is written there, " the Conformio platform will automatically inform all employees listed as users of the document by email...."

     

    tell me more about record control and also document of external origin what do you want from me exaclty, I could not figure it out.

     

    Thank you in advance,

  • Ativos

    Please clarify a question for me.

    Can an information system be composed of: information security management system procedures and policies, hardware, software, networks, data, documents and facilities and people?

  • ISO 27001 Internal Audits

    We are an IT Service provider in the healthcare industry and have different internal IT teams. We have an IT Field Engineering team, Data Centre, Directory Services, Networks and Telecoms, IT Server team, Project Management Office (PMO) teams etc. These are all specialist teams and their members are SMEs in their field they know the benefits of ISO 27001 and are committed to helping us the Compliance Team however auditing these technical experts from clauses 4 – 10 is a challenge.

    So, what we have been doing auditing these internal teams from the controls of Annex A we created a template around these controls. Each team is audited around these controls for example

    A6.1.2 Segregation of Duties

    A8 Assets

    A9 User Access Management

    A11 Physical & Environment Security

    A12 Operations

    A15 Suppliers

    A16 Information Security Incidents etc

    However, during the recent Surveillance audit, the external auditor issued a non-conformity saying.

    “Audits conducted to date have covered service delivery: to date, there has been no audit to conformity with ISO27001 clauses 4-10”

    My question is these technical people don’t know what is in clauses 4 -10 of ISO27001. How should we audit them from clauses of the standard? For example, they don’t know the basic questions

    Are relevant internal and external issues that can affect an organization's ISMS identified?

    Are all relevant interested parties identified, together with their requirements?

    Is top-level Information security policy documented?

    Are management reviews performed as planned?

    Is the Risk Assessment and Risk Treatment Methodology reviewed before the regular review of existing risk assessment?

    The only option we can see is if someone within the organization who is independent audits us The Compliance team from Clause 4 – 10 and we continue auditing technical teams from Annex A controls. Please advise if this approach is sufficient to improve our auditing process. Many thanks, Ash

  • Automated Firewall Review

    We are a SaaS-based company and we are hosted on AWS cloud. Hence we use AWS Security groups which act as virtual firewalls. We have multiple security groups. One of the controls in ISO is that a Firewall review needs to be performed. The traditional approach is that the Firewall owner reviews the rules and provides sign-off off etc. However, since we have multiple security groups it becomes difficult to review each. We have implemented a CIS benchmark tailored for AWS. Deploy regular scans on AWS Security Groups, using parameters established by the CIS benchmark. The focus is on detecting potential misconfigurations, especially in the context of publicly open ports, ensuring a robust defence against unauthorized access. Weekly reports are generated and sent to the team.

    My question is as part of an audit. Can this evidence suffice since we have automated the process of firewall review and not perform manual review?

  • Choose to Not implement a security control

    I am a bit conflicted about this and need to hear what you think. I have asked Experta but I am stil not sure. Feels like there must be a clear answer to this. So my question is... can I (according to iso27001) choose to Not implement a security control from annex A even if I can see a risk with not implementing it? If we identify the risk but choose to accept the risk without any mitigating actions. In this case there won't be any risk treatment plans to connect to the Security control. The risk is accepted by the company and we choose Not Implemented and no plans to implement. The risk and security control will be re-evaluated yearly. Is this okay or what should we do with the security control if we only have one or several risks linked to it that are accepted without further actions?

    The reason to Not Implement could be that the risk is very very low, very very unlikely and/or would cost more to implement than the consequence of the risk.  

  • Business continuity plan, RTO and MTPD

    In our BCP for external threats like Cyber Attacks it is mentioned that "RTO is not applicable in this case, however it is recommended to contain the threat within a defined period" so the MTPD for such kind of disruptions is 2 hour but it took us more than 4 days to resume all critical systems and services , what do you guys thing should I raise a non conformity for this.

     

  • Information Security Goals

    Please help me sample examples of information security goals that can be easily measured. Thank you so much!

  • RTO in the BIA questionnaire

    I purchased your ISO 22301 package in 2022, but only now have I been able to start delving into its contents. I have a question: in the 05.1_Business_Impact_Analysis_Questionnaire_22301_EN file, where do I find the RTO listed?

  • Understanding the core concepts of RPO & RTO - ISO 22301

    Hi, I am new to the this community and a newbie in the field of information Security. ISO 22301 - BCMS has captured my focus as a starting point.
    I've been reading about RTO and RPO and has quite an understading about these concepts now. At least enought to ask some stupid question. Please don't mind if my question does not make sense as I am still absorbing.

    I have read an example about how Business Processes have their own set of  Business-RTO(BRTO) and Business-RPO(BRPO) based on their crticality, and these values are set by their respective Business Owners. Further, these processes are dependant on the supporting infrastucture, such as application assets, vendors, locations, and other resources.

    Additionally, applications that supports processes have their own set of Application-RTO(ARTO) and Application-RPO(ARPO) set by their respective application owners. Also, there needs to be a roll-up RTO and RPO for applications as an application may tagged to multiple processes and it must be aligned with the minimum of all the tagged processes BRTO and BRPO values. Based on the comparison of the roll-up value and the owner assigned value, we can identify a gap for an application.

    Now, my question is that a process can be directly depandant on the RTO of an application because to run that process, the application must be up and running. However, it's not the same for the application RPO. RPO depends on the backup rate of the database and if still an application is down but we have not lost any data or much data (under RPO values), we can still interact with that data through other means/alternatives, correct? I think my concept about RPO is not clear and how it is related to application. I need a more experinced view on this. 

    Thanks in advance.

  • Residual Risk Calculations

    Hi, I understand that the conformio software auto calculates the residual risk after controls are added. so 2 questions:

    1. What is the recommended base for controls? Is more better as in comprehensively covered or the minimum to reduce the resdiual risk?

    2. Do we assume that the controls reduces the impact rating? I'm unsure of how that will happen. Can you please explain? For example - Desktop Computers > Downloads from internet not controlled > Infections with malicious software > Controls choosen are: A.5.7, A.5.10, A.5.17, A.5.24, A.5.25, A.5.26, A.5.27, A.5.28, A.5.37, A.6.1, A.6.2, A.6.3, A.6.4, A.6.8, A.8.7, A.8.19, A.8.21

    The residual risk is now 0 but I don't understand how the Impact is reduced to 0 with these. Please help.

    Thanks
Page 3 of 544 pages