ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Certification - RABQSA

    I have completed my certification which is RABQSA/NABET certified ( India). I tried registering in RABQSA and also NABET but i am not able to. Can i register myself in other certification bodies. If yes, Can you tell me the procedure. Also, What is the next step which I need to do. Please advice. Thanks, Vijay
  • Transition from ISO 27001:2005 to 27001:2013 standard

    I wanted to know about the transition from ISO 27001:2005 to 27001:2013 standard. If some company is 27001:2005 certified and their certification is expiring in 2014, then in that case on which version they need to get audited and certified? In how much time, in between, any company can do transition from ISO 27001:2005 to the new one?
  • When does RTO begin?

    Does RTO begin at time of incident or after assessment of the impact of an incident? To be ISO 22301 certified, will the organization’s definition of the starting point for RTO have to match the ISO’s definition of RTO. The published ISO definition merely states “following an incident” and it is not clear of the specific start time of RTO.
  • Mandatory processes for ISO 27001:2013 external communications relevant to ISMS

    1. Please see clause 7.4e: ....the internal shall include "the processes by which communication shall be effected"..... Does it mean the standard is mandating a 'Communications process'? 2. Apart from the above, I think the standard mandates only Risk Assessment and Risk Treatment processes/ plans. All other mandated docs are implementation level evidences. Am I right?
  • Questions about risk assessment/treatment.

    We have assessed our information security risks and found around 30 risks (We are a small company of 7 people). And only one of those risks does not currently have controls in place which make it acceptable.
  • BIA in Petrochemical Plan Definition of Activities for Operational department

    I am trying to do the BIA of my methanol plant and I am having difficulties defining the ACTIVITY LIST following the ISO standard. It has been very easy to define activities for all my business function HR, HSE, Finance, PR, etc However, the activities for operations are not clear to us. We have the activities from operational and maintenance point of view classified as shift, daily and weekly. How can we transform them into activities based on ISO 22301 so that the MTAO, RTO can then be defined Thanks for your guidance
  • ISMS Scope Assistance

    My company is contracted with a local data center to provide us with Infrastructure as a Service. The physical infrastructure that we use (firewalls, network switches, servers, and storage) is all leased from our datacenter host and they provide support of this physical infrastructure. My company's IT team builds and manages the operating system and application layers. Physical access to the equipment located at the data center is allowed to both members of my IT team as well as support personnel of the data center. In this situation, what is recommended to be included/excluded from the ISMS scope document? Thanks, Chris
  • Data Center audit preparation

    Please can you please let me know if you have a preview / blogs on Data Center audit preparation and also how to audit? Also on Cloud computing.
  • Coding of policies, procedures and records

    In your experience the task of the assigning the codes to Policies, process, procedure and registers. Is this responsibility of Security Information?
  • Question on General Impact Assessments in the BIA Questionnaire

    This relates specifically to the question on HSE concerns and the impact a disruptive incident would have on this issue (HSE). The thinking is that this topic may not be relevant to the financial sector as downtime of the activity will not generally have an impact on HSE; unless you're looking at specific scenarios. Your thoughts as I am inclined to remove it from the Questionnaire...