ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 ISO 9001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 14001 Product: ISO 27001 Internal Auditor Course
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • How many threats and vulnerabilities to display

    I've got another question about the ISO 27001 Risk Assessment Table. In this table, should I only focus on the threats and vulnerabilities that are likely to happen, or can I include every possible option? How wide can and should I go? Because in the example I have seen on the video tutorial, you used 'flood' as a possible threat, which is very unlikely to happen I suppose. So does it matter if / is it necessary that I include all possible threats with a likelihood score of 0?

  • External auditor questions

    Do you have a list of sample questions that the external auditor might ask?

  • Acceptable use policy and telework

    1 - Can I refer to for example the ‘Acceptable Use Policy’ as an existing control to prevent the theft of a smartphone (with company information on it) of an employee? Or do I have to mention this in the Risk Treatment Plan?

  • Risk acceptance

    Hello, in a recent time we had a discussion within the software development team. As you know, A.12.1.4 control forces us to separate development, test and live fields. However, for some development tools, it is not possible to separate them. Also, some projects forces us not to separate them all. In this situation, can there be an exclusion for not to implement this control? What can be the metrics to implement and not to implement this control? Thanks for your help.

  • Risk assessment and treatment

    We are using your toolkit for leading an organisation through certification.

  • Risk assessment, information labelling and security committee

    Question 1:

  • ISMS scope definition

    Can we restrict our scope of ISMS to IT Department and get certified for it for ISO 27001?

  • Annual auditing of controls

    1- Once a company has secured their ISO27K certification and are performing annual internal audits of the controls is there any reason for them to pay for an annual exterior audit versus providing the internal audit results to the firm that provided the certification?

  • Do we have to use the control A.12.1.4 for all software development processes?

    Hello, in a recent time we had a discussion within the software development team. As you know, A.12.1.4 control forces us to separate development, test and live fields. However, for some development tools, it is not possible to separate them. Also, some projects forces us not to separate them all. In this situation, can there be an exclusion for not to implement this control? What can be the metrics to implement and not to implement this control? Thanks for your help

  • ISO 27001 implementation benefits

    ¿porque es importante implementar la norma y que consecuencias tiene no estar certificados? (Why is it important to implement the standard and what consequences does it have not be certified?)
Page 402 of 544 pages