ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

3383
Discussions
Expert

Carlos Pereira da Cruz

1800
Discussions
Expert

Dejan Kosutic

366
Discussions

Most Popular Tags

Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 Documentation Toolkit Risk Assessment ISMS Product: ISO 13485 Documentation Toolkit Internal Audit Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 9001 BCMS Certification scope Product: EU GDPR & ISO 27001 Integrated Documentation Toolkit EU GDPR
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 audits

    1. Can the same person who manages ISMS for the organisation do the  internal audit? Is there a conflict of interest?

    2. Does the internal auditor need to be technical in IT. Where system security applications as stated in the policies/ procedures, do the internal auditor need to verify its functionality/ effectiveness or only need to view documented materials. In another word, do the auditor need to test the system for validity?

    3. Can an internal audit be carried out in stages over different timeframe or must be done in one process?

  • Asset inventory

    Hi! I'm a customer with you at the moment. I bought the ISO 27001 template package. One quick question:

    Should the Asset Inventory spreadsheet and the Risk Assessment spreadsheet always reflect each other? I mean should they always have the exact same assets?

    Currently, in my Asset Inventory, I have a "Dell XPS17" and a "Dell XPS15" but in my Risk Assessment I just wrote "company-owned laptops".

    Does it make any difference?

  • Data Backup and Restore

    Does the backup and restore process should be encrypted?

    I Mean the tapes itself.

  • Control diversification

    Hi, I'm a customer using your template package for ISO 27001.

    Quick question for the experts:

    I've read this thread in the community (https://community.advisera.com/topic/control-objectives-in-the-statement-of-applicability) but I'm still having some difficulties.

    We're a very small organization with a scope of 3-4 persons. We've never had a security incident. I know that you've added the "Control objective" column to make it practically easier, but I start to wonder if we should completely remove the column. The only control objective I can think of is "We want to continue having 0 (zero) security incidents". And sure, I can put in "We want to have zero security incidents due to (insert e.g., lack of patching, poorly managed access rights etc.)

    Currently, I've written the same thing in almost every control (formulated as a question though):
    - Has any incidents occurred due to failed control with access rights?
    - Has any incidents occurred due to the lack of security measures in the transfer of physical media?

    I cannot figure out how to diversify it. Can I completely ignore the control objective column and then just go by "We want to keep having zero security incidents. If we register any - how many? And due to what?" and then look to the weakness.

  • 10.1.2 Key management

    I wanted to ask how I can check annex 10.1.2 Key management during the internal audit session what's needed to be satisfied these requirements.

  • Human Resources Policy

    My new organization has a lot of Human Resources policies like diversity and inclusivity policy, Car allowance policy, Dress code policy, etc., while ISO 27001 Human Resources security policies deals only with prior, during and after employment security.

    1 - In designing an ISMS to ISO 27001 standards, are this non security related policies included or excluded?

    2 - Another question. My new organization uses the Plan-Do-Check-Act (PDCA) to write individual security policies like the business continuity management policy etc.
    My understanding is that the PCDA model is for the structure of the ISMS and not for individual policies. Am I wrong?

  • Encryption for Backup/Restore

    1 - Do we need to encrypt all data during the backup/Restore process or not?

    2 - If yes , do we need to encrypt all the data or we need to classify the data?

    3 - Who will decide what data should be encrypted?

  • Disaster Recovery Plan

    1 - May I ask, is the Disaster Recovery Plan a good control to start with, and the most important one. Also, it consists of many other controls that would then be covered at the same time?

    2 - I suppose our Head Software Developer who also is in charge of Server Maintenance, would that be the person to document these steps.  As it is much more complex than just “copy-paste install backup.

  • Vulnerability Assessment & Penetration Testing policy

    I can't find Vulnerability Assessment & Penetration Testing policy. I don't see it included in A.12.1_Security_Procedures_for_IT_Department_27001_EN.

  • 15.1. Control Document

    I have previously had advise that individual control documents are available, which i have reviewed, but our auditor has specifically asked to develop a control document for 15.1.3 Information and communication technology supply chain, we already have a 15.1.1 and a 15.1.2. The supplier security policy appears to be more related to 15.1 but would it also cover policy required for ICT supplier arrangements as required in 15.1.3
Page 4 of 470 pages