ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Asset inventory

    In case if we chose IT department as SOW as we have more than 500 employees and more than 5 locations for work. What assets should we include in the inventory?

  • ISO 27001 Beginner

    Hi, I currently work for a care company in the UK and I've been asked to research about ISO 27001 and how to apply it to the IT industry. I don't really know where to begin, and could use some help. I have been asked to do audits and risk assesments. What I'm asking for is a beginers guide here and someone to point me in the right direction for this. Any help is appriciated.

  • Query Regarding Internal Audit

    We have been working on the ISO 27001 project using Advisera templates.

    With regards to the Internal Audit, we plan to conduct the audit based on "ISMS policies" as scope instead of "Departments" as scope as indicated in Advisera vimeo video and templates.

    This approach lead to some doubts around scope & criteria content in the templates for which we want to clarify with Advisera ISO27001 experts.

    Can ISMS policies (ex: Access Control Policy, Human Resource Security Policy,..) be scope for Internal Audit
    Can requirements within the ISMS policies be audit criteria ex: HR screening criteria - BS7858 as per regulatory requirements
    Internal Audit Program  (Scope & Criteria)

    Scope (What, when, who) - HR Security Policy

    Criteria (What) - BS7858 (mentioned in HR Security policy)

    and so on for other policies in our ISMS to be scope and criteria

    Internal Audit Procedure template (Section 3.2) is proposed to be updated as follows:

    Scope of the audit (departments, processes, clauses of the standard, etc.) == >> plan to add "ISMS Policies" (to cover HR Security policy, Access Control policy, etc.) as our approach to audit is based on audit of polices instead of departments

    Audit criteria (standards, legislation and regulations, internal documentation, corporate standards, and/or contractual obligations) == >> BS7858 is a regulatory & contractual obligation from regulator for HR security policy

  • Question about A.7.1.2

    I have questions about these controls A.7.1.2. and A.15.1. (both are identified as applicable in our Statement of Applicability): A.7.1.2 Terms and conditions of employment / Confidentiality Statement and Statement of Acceptance of ISMS Documents. As I have understand control A.7.1.2 requires mandatory documentation on both above with organization’s own employee. I have difficulties to define contractor part of this control. Does the control require mandatory documentation with contractors (on a supplier contract etc.)? I can see at least two kinds of contractor cases: hired employment (just people from a contractor who is specified in hiring people) and regular IT system vendors (and their own employees) with no employment status with us. Are the regular IT system vendor part up to us to freely define in Supplier Security Policy or are there mandatory documentation requirements? Thank you for your answers.
  • Conformio – adding responsibilities

    How would I know which steps to assign to say Marketing, HR or Finance?

  • Rules for visitors

    Hi, we are a software development company following your templates to achieve ISO27k1.

    Currently we have a visitors management system in place. Every visitor gets a badge and has to wear it constantly and some other rules apply of course.

    My question is : where do I state the rules for visitors ? The "Procedure for working in secure areas" seems to be a document that describes only areas where the security measures are higher than the other areas. For example, we have selected our server room environment as a secure are and also the archives and ceo's office, since those are the places where documents are being held in a safe or cabinets with locks.

    I would like to define and write down rules for visitors for common areas - like conference rooms, the developer's den, kitchen and WCs. Is there a suitable policy that exists in the realm of iso271k ( I've searched, but couldn't find a perfect match ) for such a purpose or should I create my own policy that might not be a part of the ISO 271k. What would be a good place to describe those rules ? We would like to use the ISO27k1 ISMS as backbone for security in the office and it seems like a good idea to have our visitors system integrated in the policies. Please advise. Thank you.

  • Departments Involved in ISO 27001

    I am using the Conformio site and want to know what departments would be involved in the ISO 27001. Would I list all the departments in my Company like Customer Support, Sales, Application Development?

  • Next steps for certification

    ISO 27001 / GDPR ... What steps are left to becoming certified once templates are completed. A review of documents completed /stored.

  • MDR and Contract Manufacturer

    We are a *** based company who manufacture dental instruments, under the name of ***.

    a)  We export to EU and USA,
    b)  We do not sell by our own name
    c)   We stamp the brand or name of the company we export, on the instruments.

    Now, we are in contact with a European company for acting as our EU AR.

    They say: ***, by MDR definition, is not a "legal Manufacturer", as ***  is not selling in the EU by its own name or brand.

    So we can not act as *** EU AR.

    My questions are:

    1. Are they right in their observation?

    2. We need aan EU AR or not?

    3. If not, then, what should we declare on the labels, *** as Contract Manufacturer?

    Please help us and guide us in this regard.

  • Document for monitoring

    which document will be applicable for monitoring related work? Like I mentioned, I need to preview and then purchase any document that will guide me on monitoring/managing a already certified program. can you indicate which document will be applicable for review related to that?

Page 4 of 461 pages