ISO 27001 & 22301 - Expert Advice Community

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • ISO 27001 Contact with Authorities

    When looking at ISO27001, what are examples of relevant authorities under Annex A.6. As a US company, we may model our work around GDPR, but we don't necessarily have a legal requirement to follow it. With that said, are there any other authorities we would want to maintain contact with?
  • Asset management

    My question is about your asset inventory, I have doubts, I have a list, among the list there is equipment such as laptops and desktops, software, servers, licenses, records, the entire list is entered as assets, for example: I have approx 22 laptops, are they all entered individually as assets or do I only take it all as one? If you had an example of one made I would appreciate it to guide me.
  • Non-conformities

    Hi Dejan, I wanted to ask you about documented information for the ISO 27001 Clauses 4.2 and 4.4. For the Clause 4.2, our external auditor requires us to have a document containing all needs and expectation of interested parties. My understanding is that there’s no standard requirement to have this information gathered in one document. We have evidence of those requirements recorded in various other documents. Would you consider this a major nonconformity? Please see attached the document version we currently have in place, Compliance_Requirements.pdf. For the Clause 4.4., our external auditor requires us to have a documented ISMS Manual that includes references and implementation details for all Clauses 4 to 10. My understanding is that there’s no standard requirement for an ISMS Manual document. Would you consider this a major nonconformity? Please see attached the document version we currently have in place, ISMS_Manual.pdf. Thank you for your help.
  • Mapping of requirements categories to ISO 27001 Compliance controls (Conformio)

    We have a customer that requires that a quarterly Penetration test. We believe this requirement is related to Operation of information technology in the dropdown. So far so good, however we believe it also is related to ISO27001 control 18.2.3 Technical compliance review, however there is no corresponding option in the dropdown to choose a Compliance type of category for this requirement. Is this an omission? Or, to what dropdown item should we map this requirement so that it shows up in the appropriate area of the SoA?
  • Information Security Management

    How can Information Security Management System secure data?
  • Control A.8.2 Information Classification

    As a small business, we are inclined not to implement the following Annex A control Information classification as after the risk assessment, management has taken a decision to accept the risk however, we are also told this is a critical control that some auditors don’t like when that is not implemented therefore as an alternative on that control, we can have all our documents classified as internal and in case we need to provide sensitive information to external parties for example, then we will have a process of approvals and change the classification based on the document complexity?
  • Time line to submit audit evidence

    Hi During audit evidence requested for the report,what will be the time line to provide everything requested as evidence as per standard guidelines and regulations
  • Consultation to ISO 27001 documentation

    1. Within the points that are detailed in the ISO 27001 templates, there is no point related to sanctions, it is possible to place this point within the corresponding documents, to detail which are the (labor) reprimands that would be obtained by the Failure to comply with any of the guidelines of X Policy. 2. I have another query: Within the Business Impact Questionnaire, this must be done for each activity that is managed in the organization or several activities can be placed in a single questionnaire. If the answer is YES, please indicate how to place this. https://i.imgur.com/B9697X0.png
  • Mapping of requirements categories to ISO 27001 Human Resource controls (Conformio)

    We have a customer that requires that *** employees are submitted to background checks, etc. This correlates to ISO 27001 Clause 7, Human Resource Security. However, there does not really seem to be a matching category in the “To what area is this requirement related?” dropdown list. Is this an omission? Or, to what dropdown item should we map this requirement so that it shows up in the appropriate area of the SoA?
  • Question on Creating a Business Case for ISMS ISO 27001:2013

    1. Is the creation of an ISO 27001 ISMS Implementation Business Case document mandatory? 2. What components should the business case contain? 3. When is the Business Case document created? before starting the ISMS planning phase? after the gap analysis, after the risk analysis, etc.? 4. As in the initial phase of an ISO 27001 ISMS implementation project, the cost and/or the investments required for the implementation of the controls for the treatment of risks are not yet known, how is the financial budget of an ISO 27001 ISMS project to add it to the Business Case?
Page 3 of 500 pages