ISO 27001 & 22301 - Expert Advice Community

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

Assign
  • Where to start from as a new CISO

    Soon I'll achieve a position of CISO in a commercial organization. What should I start from on this position? What shall I do first?
  • ISO 27001:2013 and KPIs

    The iso 27001:2013 states that a organization shall use kpi's. Where in the toolbox can i find those kip’s?
  • Roles and ResponsibilitiesAssets and risk assessment

    The toolkit refers to several different positions, however every organization distributes it repsonsbilities the same way. Is there a comprehensive list of the required/needed areas of responsbilities so I can align that to the titles in my organization?hi, if I have lets say database server, i will consider it as one asset? or I have to add the server as asset and the database (oracle or sql) as another asset? and do I have to do it twice if I have one development database server and one production server? thank you
  • Difference between the internal audit and the risk assessment

    How does a risk assessment approach differ from that of an internal audit based on Iso27001?
  • Certification body Interview

    Hi Dejan, I need your help in a matter, we will have a first interview with a certification body for ISO 27001 certification next week, and I wonder what kind of questions should we ask them? what should we discuss exactly? NB: They have already sent us the offer of certification and we need to held a meeting before signing the contract Many Thanks
  • Asset Management Procedure

    Hi Dejan, I have a question regarding the Asset management procedure, Shall we build such procedure? if it is so what should it encompass? and what we really mean by Assets (Are they only Desktops, laptops and servers or all type of assets (physical, software, hardware, intangible ...) Thanks in advance
  • Setting the scope of ISO 27k certification

    In trying to explain what we are doing, I get my audience confused when sometimes I use the term “the system” to refer to the data processing system (in our case an e-commerce application) and sometimes “the system” is the ISMS. When I say “system” to the business unit, Sr. management, the CFO office, etc. I am sure they interpret “system” to mean some information processing system (some information technology “black box”) when in fact it is a really a business process. (I really hoped they were going to drop the term ISMS as, for some reason at least in the U.S., to refer to a business management process as a system seems unnatural.) Do I just have myself confused or would you have some advice how I can disambiguate the “data processing system” from the ISMS that controls it.
  • ISO 27001:2013 standard - student copy

    Hi, As a student or an individual is it possible to get a copy of new standard at subsidized rate? Regards, Mukta
  • Can the risk be accepted and the control not applied?

    We are in the initial stages of obtaining our ISO-27001 certification and in doing so we are up to the Pre-certification step. During the pre-certification we reviewed our Statement of Applicability and in particular our Out-of-Scope controls. One control that was found to be a low risk during the Risk Assessment and senior management has agreed to accept the residual risk; and we determined it be out of scope, is being demanded by the auditor to be in-scope. Is that permitted? Based on our scope and boundaries as well as documented exclusions, the control does not come into play. I’m trying to gather some additional information on the determination of in-scope vs. out-of-scope.
  • Setting the ISMS scope for data center

    Since my ISO program is focus on one of our data centers, the data center was maintained by operation team, infra service was supported by Infra Team, also development team for application development