ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit AS9100 Product: EU GDPR Documentation Toolkit
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Certification benefits

    My organisation is non-IT and we are already ISO 9001:2015 certified, Now client want us to be certified in ISO 27001. But that certification is not beneficial for us in future as we are non -IT company. Can you please advise whether we should go for this certification just because client is asking or it has future benefits. If not necessary then what reply can be given back to client,.

  • How many threats and vulnerabilities to display

    I've got another question about the ISO 27001 Risk Assessment Table. In this table, should I only focus on the threats and vulnerabilities that are likely to happen, or can I include every possible option? How wide can and should I go? Because in the example I have seen on the video tutorial, you used 'flood' as a possible threat, which is very unlikely to happen I suppose. So does it matter if / is it necessary that I include all possible threats with a likelihood score of 0?

  • External auditor questions

    Do you have a list of sample questions that the external auditor might ask?

  • Acceptable use policy and telework

    1 - Can I refer to for example the ‘Acceptable Use Policy’ as an existing control to prevent the theft of a smartphone (with company information on it) of an employee? Or do I have to mention this in the Risk Treatment Plan?

  • Risk acceptance

    Hello, in a recent time we had a discussion within the software development team. As you know, A.12.1.4 control forces us to separate development, test and live fields. However, for some development tools, it is not possible to separate them. Also, some projects forces us not to separate them all. In this situation, can there be an exclusion for not to implement this control? What can be the metrics to implement and not to implement this control? Thanks for your help.

  • Risk assessment and treatment

    We are using your toolkit for leading an organisation through certification.

  • Risk assessment, information labelling and security committee

    Question 1:

  • ISMS scope definition

    Can we restrict our scope of ISMS to IT Department and get certified for it for ISO 27001?

  • Annual auditing of controls

    1- Once a company has secured their ISO27K certification and are performing annual internal audits of the controls is there any reason for them to pay for an annual exterior audit versus providing the internal audit results to the firm that provided the certification?

  • Do we have to use the control A.12.1.4 for all software development processes?

    Hello, in a recent time we had a discussion within the software development team. As you know, A.12.1.4 control forces us to separate development, test and live fields. However, for some development tools, it is not possible to separate them. Also, some projects forces us not to separate them all. In this situation, can there be an exclusion for not to implement this control? What can be the metrics to implement and not to implement this control? Thanks for your help
Page 402 of 544 pages