Save 20% on accredited ISO 27001 course exams.
Limited-time offer – ends July 18, 2024
Use promo code:

ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Residual Risk Calculations

    Hi, I understand that the conformio software auto calculates the residual risk after controls are added. so 2 questions:

    1. What is the recommended base for controls? Is more better as in comprehensively covered or the minimum to reduce the resdiual risk?

    2. Do we assume that the controls reduces the impact rating? I'm unsure of how that will happen. Can you please explain? For example - Desktop Computers > Downloads from internet not controlled > Infections with malicious software > Controls choosen are: A.5.7, A.5.10, A.5.17, A.5.24, A.5.25, A.5.26, A.5.27, A.5.28, A.5.37, A.6.1, A.6.2, A.6.3, A.6.4, A.6.8, A.8.7, A.8.19, A.8.21

    The residual risk is now 0 but I don't understand how the Impact is reduced to 0 with these. Please help.


  • SoA Tasks


    If I specify a user defined task for an Annex A control, and later want to specify the same task as an implementation method for another control, should I re-enter the task in the second control under task option, refer to the previously entered task in earlier control under text entry option, or do nothing, as the task already exists.

    I am concerned that duplicating the task in more than one control might lead to odd/spurious records being generated as the automtic process compiles the information I have entered.

    Many thanks.

  • BIA Questionaire Assistance

    Please let me know what resources are available from Advisera to assist with filling out the BIA Questionaire from the ISO 22301 Toolkit?

  • Guidance on Missing ISMS Documentation and Implementation Drafts

    1. We have the initial audit with external agencies to get the accreditation, and an agenda for the one-day assessment on November 21st has been sent to us. Please find the attached image which details the ISMS Document review. However, we are missing documents for Compliance, Operational Security, Communication, Development Security, Incident Processes, and Business Continuity Management. Could you please confirm if there are drafts available or advise on how to proceed, as I'm unable to locate them in the Conformio tool? Your guidance on this matter would be greatly appreciated.

    2. Additionally, for ISMS Implementation, there is a requirement for Design, Development & Test, and Facility and Asset Management. I have checked the documents, as well as the Conformio tool, but I couldn't find any drafts pertaining to these areas. Can you please advise on this?

  • Audit report

    Can the audit report serve as the obligatory documentation of audit program and audit result?

  • Question on risk register and selection of the assets

    I have a question about which assets to select in the risk register, for instance, in the IT and communication equipment category. We certify Company A, which is a subsidiary of Company B. The equipment Company A uses (server rooms, servers, desktop computers, notebooks, and small stuff) belongs to the Company B and Company A rents it. The alarm system and key cards are also provided by the Company B for the subsidiaries. Do we only select assets that are owned by Company A, or all assets that are used by Company A?

  • Physical Security (A.11)

    I can't find anything on Physical Security (A.11).
    Only A.11.1.5 has been described.

  • ISO 27001 Package of Documents

    In our pack of documents I was looking for a Policy on Privacy and Protection and any procedures that are in our pack but couldn't see anything, are you able to help?

  • Initial Risk Assessment Non-conformity

    At our last surveillance audit our assessor raised a non-conformity on the basis that our initial risk assessment, showing many of the risks as being acceptable i.e. scoring less than 3, did not show any justification for why we made that assessment and Conformio doesn’t require that. Our assessment would have been based on the controls etc already in place at that time.

    Obviously, you are of the view that when making the initial assessment, it’s not necessary for us to record why we make that assessment.  What is the reasoning behind this?

Page 3 of 543 pages