Get a 20% discount on the first year of the Company Training Academy annual plan.
Limited-time offer – ends April 24, 2025
Use promo code:
CTA20

ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 9001:2015 ISO27001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Internal Audit Report Review

    I have your documents for the internal audit report and the checklist, on the internal report is it acceptable to state that everything was implemented correctly and there was no finding for improvement?

  • Certification process of sister company

    The majority of our finance, HR and other major departments are managed by our parent company, but our sister company wants to become ISO 27001 certified. How do we manage the certification process? Please note that we will require access to the HR and finance departments, for instance. Additionally, we are headquartered in site A and have a branch in site B, but we wish to obtain certification only for site A. How are we going to treat our employees in site B and under which category should we put this?

  • Business Continuity Plan Testing Exercise

    We are planning a BC Plan tabletop exercise for a scenario called Data Centre Power Outage. I understand the BC plan is a product of Risk Assessment and Business Impact Analysis. I just joined this new organisation and all have been given BC Plan. Not sure how risks were assessed and BIA was done.

    Question: Can we include Risk assessment and BIA in the test exercise and ask questions on that? or in other words should we do both analyses during this testing exercise?

    Secondly, What are the most relevant questions we should be asking?

    Many thanks 

    Ash

  • 27001 Certification for Multiple Companies / Geographic locations

    I'm trying to write and implement an ISO 27001 compliant information security management system (ISMS) for the company I work for. Currently we have our HQ the UK (2 office locations plus a test site) and an additional office in Europe. Currently the goal is to have the ISMS applicable to the UK locations and the EU location is scoped out as a subsidary / third party providing services to the UK organisation. The EU office also manages the IT infrastructure of the UK office. I'm not sure the reason the EU is scoped separately but I believe it's to avoid complexity and expense. We share intellectual property and confidential information (just technical, generally no Personally Identificable Information) back and forth between the UK and EU offices and eventually plan to move to a shared cloud database managed by the UK but EU has access and contributes. How will ISMS work in this situation? Are subsidary and third parties considered the same under ISMS? Am I right in thinking that the UK and EU offices needs a contract in place defining the services provided (IT management, design work, etc), including the security requirements the EU office must follow to meet the 27001 standards of the UK office?

  • Auditor definition

    Example: John is Lead Implementor of ISMS, Jack is his colleague from the same team. John's boss (who is also Jack's boss) wants to get internal audit performed by Jack. Is it a conflict of interest for Jack? (Jack was not involved in implementation but he has same boss)

  • Certifications merge

    Is it possible to "merge" certifications for two iso certified companies that are in different "state" like one is in their 1 years,  second is in 2nd years (surveillance audit) etc. after acquisition of another company or do you have to recertify it?

  • BCMS | ISO 22301:2019

    How much time is required for BCMS implementation in a medium sized organization?

  • Entry into the IT department

    1 - I will like to know if iso 27001 standard talks about a single point of entry into the IT department. I will like to know if ISO27001 talks about multiple entry into the IT department and best practice.

    2 - if not, what standard should I look out for

  • Supplier Security Policy Question

    Good afternoon,

    When looking through the Supplier Security Policy, am I correct in stating that this is only for actual services used by our companies? Does this apply to customers of ours? Or in our case, does this only apply to the company that does our accounting? And other companies that we use the services of?

  • Backup and DR plans - outsourced services

    We have some troubles regarding Backup and Disaster recovery rules for our outsourced services / applications.

    We have around 200 different applications where the operations and backups are outsourced. We have divided our applications into 3 different criticality categories - where we have set requirements and collected answers for RPOs and RTOs for the applications with highest criticality level. 

    All assets are still in scope (even if they are not business critical) and we have some controls for risks covered by for example backup procedures.

    Does that mean we have to collect RTOs and RPOs for all our assets? Or do you have any suggestions on how we can adjust in our policies to make it more simple for us?
Page 38 of 544 pages