Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

ISO 27001 & 22301 - Expert Advice Community

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Does internal auditor need to have a certificate?

    Is it necessary for the company's internal auditor to have this certification?
  • Risk treatment plan and SoA

    1 - I am getting confused with the Residual risk acceptance table in SoA document. Could I be assisted with any video tutorial? as I am unable link it with SoA and even Risk treatment plan.
  • Segregation of duties

    I have an issue with A.6.1.2 clausule. My company is small, do you have some information or example ?
  • Filling SoA

    We are working our way through the templates. So far I really like how organized and well documented they are. I do have a question on the Statement of Applicability (Ch 06). Do you guys have a sample document that is fully filled out for an organization. Trying to get a better sense of what information we should be putting into the various columns.
  • Risk value calculation

    Just need enlightenment on a trivial thing, normally I have seen that risk impact is multiple of likelihood and consequence/ severity i.e. Risk impact= likelihood of occurrence x consequence faced. However in your document Risk impact is taken as sum of both consequence and likelihood. Any technical reason why is this so?
  • Asset inventory and risk assessment

    1 - Is it recommended to fill in the INVENTORY OF ASSETS right after RISK ASSESSMENT?
  • Risk owners empowerment

    1) An organization is a mix of diverse people when delegating the task of RISK ASSESSMENT and RISK TREATMENT to the RISK owners how do you suggest to empower them to choose appropriate controls from Annexure A? Obviously an introductory training is needed, but it may not be possible to touch every control in Annex A in great detail.
  • Risk assessment and treatment

    1 - In the risk assessment/analysis part, the risks value has been evaluated. Now, in the risk treatment table (options), it is required to indicate again the impact and likelihood level. Why? Is this a copy/paste task to list only unacceptable risks (excluding all risks under a defined value)
  • Risk assessment and treatment process

    Considering this scenario: starting off the process by 1) Identification of assets followed by 2) Assigning vulnerabilities and threats and calculating the risk impact during these two phases we would fill up RISK ASSESSMENT TABLE and RISK TREATMENT TABLE. Then we would complete the RISK ASSESSMENT REPORT and move on to completing SoA. After SoA we will fill the RISK TREATMENT PLAN.
  • Policies and procedures development

    I have started filling in the Policies and procedures as given in the tool kit, but I cannot figure out as to what are the policies and procedure that would require direct input from other departments.