ISO 27001 & 22301 - Expert Advice Community

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

Assign
  • Corrective Action Form

    I was just wondering about the “Corrective Action Form”, as the Incident Log makes reference to it. There is a column for “Reference to the Corrective Action Form”, and the comment reads “Number of Corrective Action Form - the idea is to improve the system based on each incident in line with the Procedure for Corrective Action.”

    If we were to buy the Corrective Action Form, how would we fill in this column? With for example, “action points:…” or with a number?

  • Measuring success of Information Security

    1- I'm I right to say or think that we measure the success of Information Security by defining Key Performance Indicators (KPIs) for each Information Security Program?

    2 - If so, how does one measure the success of the information Security program according to ISO27001. 

    3 - Again, what specific KPI examples can you mention to me?

  • Política de uso de criptografia

    Adquiri a política de uso de criptografia, entretanto achei-a muito simples. Por gentileza, teria material adicional a respeito do assunto?

  • Encryption Use Policy

    I acquired the cryptography usage policy, however I found it very simple. Please, do you have additional material on the subject?

  • ISMS Controls

    1 - I would like to know more about the Controls, are there any categories for controls ??

    2 - Important controls / not so important controls ??

  • Business abiding by ISO 27001 when using BYOD policy

    How would a business abide by ISO 27001 when using a BYOD policy?

  • Electronic File/Folder structure SOP

    My organization is looking to create an SOP on how to create a folders/file structure (electronic). We have lots of documents and everybody organizes their files/folders in their own way and it is a disaster... Does ISO 27001 addresses that issue?

  • Internal Auditor from outside

    Hello Advisera,

    we've hired our internal auditor from outside, and we will receive Audit Report from him.

    Do we still have to write the Internal audit Procedure and program, or is it normally what the Internal auditor should provide us in this case?

    Thank you!

  • Questions for ISO 27001 & 22301 List of Mandatory Documents

    1. No 1. Document Code 00, Procedure for Documentation and Record Control.  Should this be marked as Mandatory for 27001?
    2. No 3. Document Code 02, Procedure for Identification of Requirements. Should this be marked as Mandatory?  I noticed No. 4, Appendix 1 is checked as Mandatory. Shouldn’t this be part of the Procedure for Identification of Requirement?
    3. No. 27. Document Code A.12.2, Change Management.  Should this be marked as Mandatory?
    4. No. 32. Document Code A.15.1, Supplier Security Policy. Should this be marked as Mandatory?  I noticed No.33, Security Clauses for Suppliers and Partners is checked as Mandatory. Shouldn’t this be part of the Supplier Security Policy?
    5. No. 34. Document Code A.16, Incident Management Procedure, Under the Relevant Clauses in the Standard, one of the controls display as A.6.1.2, should this be A.16.1.2?
    6. No. 57. Document Code 10, Internal Audit Procedure. Should this be marked as Mandatory?  I noticed No. 58, Appendix 1 is checked as Mandatory.  Shouldn’t this be part of the Internal Audit Procedure?
    7. No. 63. Document Code 12, Procedure for Corrective Action. Should this be marked as Mandatory?  I noticed No. 64, Appendix 1 is checked as Mandatory.  Shouldn’t this be part of the Procedure for Correction Action?
  • DRP aplicabilidade

    Um cliente vai ter uma auditoria de certificação ISO 27001 em julho e o plano de drp já está contratado para entrega em dezembro com contrato assinado. Porém sabemos que em julho não haverá evidências do teste de drp e apenas o projeto comprado com a evolução. Ele quer saber se isso daria uma não conformidade maior inviabilizando a recomendação da certificação.

    A empresa em questão tem 2 servidores em 2 cidades. Porém, os sistemas NÃO são complementares. Um não suportaria o outro em caso de um desastre. Foi contratado então, a solução de DRP, para aumentar a capacidade do equipamento menor para suprir em caso de interrupção do servidor maior. Já possuem o procedimento de backup, porém, na situação atual, a empresa não conseguira estar operando todos os sistemas em caso de desastre. O projeto contratado estará operacional em Dezembro, mas a auditoria será em Julho agora. A preocupação, é que o DRP está declarado no documento de aplicabilidade, e em julho, não teremos ainda a evidência principal de teste realizado mostrando que o DRP está funcionando. Somente em Dezembro, conforme prometido. A dúvida é se isso será considerado uma NC MAIOR por falta da evidência prática do teste de DRP, ou se seria uma NC MENOR, por mostrar que a situação está contratada para resolver em Dezembro.

Page 4 of 448 pages