ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Who needs to sign an NDA?

    I’m buiding up the ISMS and I requested some positions in my company to sign on NDA in ISMS, but I don’t know exactly who have to sign on NDA (eg. Director, CSO, Security Representative etc…). If I’m the boss, do I have to sign on an NDA?
  • How I can build my career in ISO 27k implementation and auditing

    I am an info sec professional with 4 years of experience in penetration testing, Secure code reviews, PCI DSS testing for web apps and a base knowledge on ISO 27k . I would want to seek your advice on how i can build my career in ISO 27k implementation and auditing for organizations. Are you based in the UK? Is there a company that you run and train people on ISO 27K ? since i am passionate and want to build my career as a Lead auditor ISO systems i would want your advise and help in these lines. I am in the UK currently looking out for job opportunities.
  • Applicable legislation control in ISO 27001

    Do we need to identify only legal requirements related to information security or all the applicable laws and regulations (including HR, environment ... etc)
  • How will we evaluate the deliverables of the consultant?

    My organization is currently in the process of selecting a consultant for developing the following: BIA, RA, BC strategy, and BCP. Implementation, training and testing will be done by ourselves.
  • Use old ISO 27001:2005 format for assessing the risks

    VAPT or Risk analysis or risk treatment method has been changed or same as like 2005. Can I use old format for assess the asset register or i have to changed Kindly provide me guideline.
  • Competences for business continuity specialists

    In our company we have already implemented and certified ISO 14001, OHSAS 18001 and there are certain requirements within the assurance process for the competence of the people, like Awareness, Knowledge and Skill levels (this is how we apply the process for HSE Competencies). So, i wondered if there are any requirements already available for business continuity Specilaists.
  • Responsibility for classifying the assets

    I have a question about asset inventory, who is the responsible to establish and to assign the propietario of an asset? And, In my company, the assets/information classification is:
  • Information Systems Audit Control

    I would like to know exactly how to implmeent The control 15.3.1 of ISO 27001 (Information systems audit controls) Is it about logging users activities on systems ? thanks in advance
  • Information security policy - including references to clauses of ISO 27001 stand

    Shouldn't I include subsections/references regarding the clauses in the 27001 standard (i.e. chap. 4 - 10 and Annex A) in the Information Security Policy that is included in the package? Otherwise how do I ensure that IS policy, as an umbrella policy, covers all IS aspects?
  • What types of evidence is normally obtained for each of the controls

    I’ve watched several of your webinars, which I have found very helpful, and I have a question for you. I’m working on doing an assessment of our current ISMS and I’m trying to find what questions to ask and what types of evidence is normally obtained for each of the controls. Some of the controls are very straightforward but some of them are somewhat vague so I’m looking to find some guidance. For example, control A.12.1.1 regarding documented operating procedures I feel could be interpreted several different ways. I looked on your website and could not locate any guidance when performing an assessment of these controls. Do you have any suggestions on where you think I could find this guidance?