Buy the ISO 27001 Documentation Toolkit and
get the ISO 27001 standard in PDF
get the ISO 27001 standard in PDF
for free
Limited-time offer – valid until October 31, 2020
I'm in the process of an audit for license and patch management for an internal audit...Which documentation is needed for such audit process?
In order for me to understand the iso 27001 better can you provide me with a SWOT analysis of the ISO with example for large organisations (1 million+) member voting systems?
Please I need some professional advice
A holding/group/mother company with other legal subsidiary companies want to implement ISMS for the group with the scope including the subsidiary companies.
The Group company and the subsidiary companies are all located at the same place
The same staff works for both the Group company and subsidiary company
They both share the same assets.
But the subsidiary companies offer different products and services
What do you suggest should be the best way to implement the ISMS towards achieving Certification?
1. What is the expected risk level of the residual risk? Assume acceptance is below 3, should a residual risk level be more than 3 having implemented all controls
2. Clause 6.1.1 requires actions to address opportunities.
a. What are opportunities - in relation to ISMS
b. What are the actions to address opportunities
3. What determines likelihood of occurrence in risk assessment ? Is it the frequency for occurrence of an activity/process?
Context
For our ISMS scope, I have added in an organisation chart. On the basis of your advice stating that 3rd parties are out of our remit of control I have made our CFO (he is an independent consultant) and shareholders out of scope.
Question.
In the section, exclusions from scope, are we okay to exclude the CFO/Finance function and shareholders from the scope?
Since the standard is licensed, how can we appropriately reference/include ISO27001 Annex A controls and clause requirements in an internal audit report to show which control/clause is not being met?
Do you have an example of a completed Risk Assessment Table I could look at please. I am interested particularly in the numbering system. It seems to me the numbering should run by asset not by vulnerability, so 1.1, 1.2 etc until next asset.
Es factible contar con una lista de documentos secuencial solo para SGCN.
Te comento que actualmente ya contamos con un SGSI implementado e iniciaremos en breve la implementación de nuestro SGCN. Respecto a los documentos, adquirimos el paquete completo para que nos ayude a complementar el SGSI que actualmente tenemos.
We have a few questions regarding applicability in the toolkit.
1) Appendix 1 – List of Legal, Regulatory, Contractual and Other Requirements
Could you provide some guidance how we can tackle this?
2) STATEMENT OF APPLICABILITY - Applicability of controls .
Justification for selection/ non-selection
Control objectives
Implementation method
Status
We'd also appreciate some more guidance regarding this subject.
3) BRING YOUR OWN DEVICE (BYOD) POLICY.
Could you please help us understand why it is not allowed to do the following with BYOD connect via Bluetooth to any kind of device?
4) Risk Assessment 05.2_Appendix_2_Risk_Treatment_Table_27001_EN and 05.1_Appendix_1_Risk_Assessment_Table_27001_EN and
How can we ensure we include all applicable risks? From your experience, is it enough to keep the risks suggested from the toolkit? Do you have any techniques to assess the risk ourselves?
I need an expand scope of applicable standards and international regulations, and a clear statement of the goal, the intended scope of the study, a clear calendar schedule, and each artifacts on international requirements on personal data protection, telecommunications, incident investigation.
