In case if we chose IT department as SOW as we have more than 500 employees and more than 5 locations for work. What assets should we include in the inventory?
Hi, I currently work for a care company in the UK and I've been asked to research about ISO 27001 and how to apply it to the IT industry. I don't really know where to begin, and could use some help. I have been asked to do audits and risk assesments. What I'm asking for is a beginers guide here and someone to point me in the right direction for this. Any help is appriciated.
We have been working on the ISO 27001 project using Advisera templates.
With regards to the Internal Audit, we plan to conduct the audit based on "ISMS policies" as scope instead of "Departments" as scope as indicated in Advisera vimeo video and templates.
This approach lead to some doubts around scope & criteria content in the templates for which we want to clarify with Advisera ISO27001 experts.
Can ISMS policies (ex: Access Control Policy, Human Resource Security Policy,..) be scope for Internal Audit
Can requirements within the ISMS policies be audit criteria ex: HR screening criteria - BS7858 as per regulatory requirements
Internal Audit Program (Scope & Criteria)
Scope (What, when, who) - HR Security Policy
Criteria (What) - BS7858 (mentioned in HR Security policy)
and so on for other policies in our ISMS to be scope and criteria
Internal Audit Procedure template (Section 3.2) is proposed to be updated as follows:
Scope of the audit (departments, processes, clauses of the standard, etc.) == >> plan to add "ISMS Policies" (to cover HR Security policy, Access Control policy, etc.) as our approach to audit is based on audit of polices instead of departments
Audit criteria (standards, legislation and regulations, internal documentation, corporate standards, and/or contractual obligations) == >> BS7858 is a regulatory & contractual obligation from regulator for HR security policy
How would I know which steps to assign to say Marketing, HR or Finance?
Hi, we are a software development company following your templates to achieve ISO27k1.
Currently we have a visitors management system in place. Every visitor gets a badge and has to wear it constantly and some other rules apply of course.
My question is : where do I state the rules for visitors ? The "Procedure for working in secure areas" seems to be a document that describes only areas where the security measures are higher than the other areas. For example, we have selected our server room environment as a secure are and also the archives and ceo's office, since those are the places where documents are being held in a safe or cabinets with locks.
I would like to define and write down rules for visitors for common areas - like conference rooms, the developer's den, kitchen and WCs. Is there a suitable policy that exists in the realm of iso271k ( I've searched, but couldn't find a perfect match ) for such a purpose or should I create my own policy that might not be a part of the ISO 271k. What would be a good place to describe those rules ? We would like to use the ISO27k1 ISMS as backbone for security in the office and it seems like a good idea to have our visitors system integrated in the policies. Please advise. Thank you.
I am using the Conformio site and want to know what departments would be involved in the ISO 27001. Would I list all the departments in my Company like Customer Support, Sales, Application Development?
ISO 27001 / GDPR ... What steps are left to becoming certified once templates are completed. A review of documents completed /stored.
We are a *** based company who manufacture dental instruments, under the name of ***.
a) We export to EU and USA,
b) We do not sell by our own name
c) We stamp the brand or name of the company we export, on the instruments.
Now, we are in contact with a European company for acting as our EU AR.
They say: ***, by MDR definition, is not a "legal Manufacturer", as *** is not selling in the EU by its own name or brand.
So we can not act as *** EU AR.
My questions are:
1. Are they right in their observation?
2. We need aan EU AR or not?
3. If not, then, what should we declare on the labels, *** as Contract Manufacturer?
Please help us and guide us in this regard.
which document will be applicable for monitoring related work? Like I mentioned, I need to preview and then purchase any document that will guide me on monitoring/managing a already certified program. can you indicate which document will be applicable for review related to that?
