ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Quantity and quality of ISO 27001 documentation for certification audit

    I have a question about certified process ISO 27001. I got the list of documents and register mandatory. However, I want to know your feedback regarding certified process. An certifier could evaluate the quality of these documents and register? Or only he evaluated the completeness and quantity? I always have had this question. The process wants both things?. what should I have in consideration for this process?
  • Query regarding Server access and related Risks

    Hi, One of our customer is asking access to Server to access source code. Our Networks team suggested opening Port 22 to give access to servers. Wanted to understand the Risks with this approach and is it good practice to give access to source code.
  • Is clause 7.2 Competences of personnel mandatory in ISO 22301?

    I have been reading your book “Becoming Resilient. ISO 22301….” and I am enjoying it but I have a doubt: Why is in List of mandatory documents the clause 7.2 Competences of personnel? I believe the 7.2 clause is non-mandatory because it is within Awarness and Training Plan. I checked it and also the 7.2 clause is in non-mandatory list. Which is the reason for this clause being in two lists?
  • ISMS scope in Quality Manual

    Does ISMS scope document should have own document or can combine with quality manual if they have already implemented ISO 9001.
  • Assessment of processes

    Hello, I am actually assessing some processes in our ISMS, Can you please help me with some questions to ask or some Threats/vulnerabilities comprimising the availability, confidentiality and integrity of a process? Many Thanks
  • Information security incident managment Categories

    Hello, There are several categories of Information Security incidents management related to IT, e.g. : -Denial of service attack - Illegal use of software - Malicious code - Spam - ...etc I'd be grateful if you can list me some of IS incident categories other than IT security incidents, for example: - Physical interference in secure areas - Loss/Theft of laptop ... Thanks in advance
  • Secure system engineering principles

    clause A.14.2.5)Dear Dejan, could you please tell me what document or action should I prepare for the Secure system engineering principles (clause A.14.2.5) ? Thanks in advance Gökhan
  • connection between BCP and security

    Dear Mr. Košuti?, our CISO and Organisational Officer both see the close connection between BCP and information security in 27001 Standard. The question is whether to put CISO and BCP together in our organisation (perhaps in Compliance) or not. Do you see the connection between them in 27001 Standard and where (how to argue that) ? I work in a financial institution (bank). Thank you in advance and best regards!
  • Statement of Applicability & auditor's comments on effectiveness of controls

    I have just watched the tutorial video on "How to Write ISO 27001 Statement of Applicability" and noticed that there wasn't a column for the certification bodies' opinion on the effectiveness of the applicable controls. According to the tutorial video this is not a mandatory field. Where then does the certification body document their opinion on effectiveness of each of the controls? Secondly, can the certification body issue certification if there are any weaknesses in how way some controls are implemented or must they all be 100% effective. Regards. CM
  • How does IT complete a BIA

    In a banking environment, the IT Dept.'s major role is to provide support to the network and their RTOs are for the most parts driven by those of the branches and units they support. In light of this, what is the best approach for an IT Dept in completing a BIA questionnaire? Where should their head space be when completing this questionnaire?