Get a 20% discount on the first year of the Company Training Academy annual plan.
Limited-time offer – ends April 24, 2025
Use promo code:
CTA20

ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 9001:2015 ISO27001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Conformio - ISO 27001 Requirements

    I saw that based on the risks or tasks created when preparing the corresponding documents in the requirements section it states to include them in the doc, is that being done by manually adding the references in the editable sections or is there a different method? I have uploaded a screenshot as requested. As you can see in the requirements it states to be sure to resolve the listed risks. Should this be done by inserting some references in one of the editable portions or is it being done by the wizard in one of the steps? https://i.imgur.com/qEQfHVI.png

  • Questions about Scope of my ISMS ISO 27001:2013

    Good morning, You can help me with the following questions I would like to know what level of detail should be specified in the wording of the scope of the information security management system?

    1. Should I write the exact listing of all the information assets covered?

    2. Should I write the exact list of the information provided?

    3. Should I write the exact list of applications / software covered?

    4. Should I write the exact list of the physical offices covered?

    5. Should I write the exact listing of the databases covered?

    6. Should I write the exact list of websites / mobile applications covered?

    7. If I want to include all the information assets of my organization is it sufficient to write: "The scope of the SGSI covers all the information assets of the Organization" or do I have to be explicit by detailing all the information assets?

    8. Do I have virtual machines on Microsoft Azure that run critical applications, should I specify that the scope only covers the applications installed on these virtual machines that are on Microsoft Azure? or should I also include the virtual machines and their contents?

    9. We currently have corporate mail with GOOGLE, is mail a critical asset in our organization, should I also include it in its scope if a service provided by a third party? What considerations do you have in the writing in the link at the level of this service?

    10. Currently we send our customers emails and massive newsletters that contain important business information, are these emails and newsletters sent through a provider's software, should I also include it in the scope of a service provided by a third party? What considerations do you have in the writing in the link at the level of this service?

  • Legal and contractual requirements question

    Looking through our List of Legal, Regulatory, Contractual and Other Requirements documents, we had a question. As a small company that deals with commercial driving fleets, are we expected to have a long list of these requirements? Of the list of requirements that were listed on the article linked in the actual document, none really applied to us. We do not operate in individual states that have these requirements, so we had very few there. As a whole, it seems like we only have a few contractual requirements with our customers. Does that seem right?

  • Mapping of requirements categories to ISO 27001 controls

    Hi Dejan, Thanks for your reply and I understand what you are saying in the bullet points. However, I do believe my questions are still not fully understood. 1)      There may be a requirement for some controls for the HR department. We would then choose something like ‘Human Resources Security’ from the drop down list for the Area field, right? But my point is that there is no option for Human Resources Security available from the drop down list for the Area field. So my initial question some time ago was, why is Human Resources not listed as an area? Is this an omission (a bug) or has this been left out deliberately? And if so, why is this left out when all other control categories are available from the area drop down list. 2)      I understand the reasoning behind mandatory safeguards, but my question about that was where do these requirements show up in the SoA? Or do they need to be added to the SoA manually? I do believe that the combination of allowing the selection of an area together with the ability to specify individual controls would be taking the best of both worlds. I have made this suggestion to Aleksandra as art of request 63693. I still would very much appreciate to have a few hours of detailed training in the use of Conformio (like explaining the function of every field), as there are still areas that are unclear to me, that are not documented and that are costing me a lot of time getting them answered by sending emails to support and even going back-and-forth quite a few times, like about this issue. I would appreciate if some training is available in the short term.

  • Corrective actions and nonconformities

    How could the nonconformities found in the internal audit exposed in the corrective actions affect the external audit? What happens is that in the organization where I am, they are afraid that we will find majors or minors nonconformities, because they think that the external audit will be based on these results so they prefer just use nonconformities in general and do not use major or minor non conformities in the form.

  • ISO 27001 and ISO23301 Policies

    I hope you are well and had a relaxing weekend. I have acquired the premium papers for ISO27001/22301. I have few questions with regards of implementing as ISMS withing out organisation, which I hope you would be able to provide me with guidance. Please note this is a ***. I am not sure but you may need the existing documentation which I will provide if requested. Some additional info on me and my position within ***. I have started less than two months ago as an IT Security Manager, although the title does not signify my overall responsibility for Cyber Security and Business Continuity/Disaster recovery. I am still trying to find all details with regards to the security posture and security stack I am responsible. Some is owned and managed by a third party IT provider, who outsource the SOC and Forensics. Currently I have been asked to provide input on some policy and a provide an expert guidance for business continuity if total blackout of power for a week occurs. Here are my questions: Currently the password policy is part of the ISMS and has couple of lines. The policy is a framework that does not provide technical details. I see your policy template is slightly more expanded. What other document/statement/process/procedure I need to develop to complement this policy which will include a details of the implementation and controls we use within the organisation. Second question. The password policy does not work. The people are using digital files to store their password, use the browser to remember their passwords or private password management apps. How would I define the risk associated with this. I thought risk of noncompliance, but this is not to correct main risk. So what would be the risk associated with not correctly defined password policy. Next question - We have no patch policy and need to define the risk. Please note we have robust patch policy which is decent. The only issue we have is that some users do not use the devices and they become high risk. Any info on the Risk definition as well as what we can enforce so the devices are connected once in a while (month) would be appreciated. We have no weekly vulnerably scanning. I am not sure how to define what is the RISK in terms of definition Same is for not have visibility of the security stack. The support company is slow to provide me with reporting and read access to the security systems in place. I have not good reporting to provide SME to the board. BC/DR On the BC/DR where do I start. We have one general overview of the BC/DR as a policy with people hierarchy. Resilience and Emergency Planning exercise - We previously did a live one but should consider table top and other ways of doing (I have not been involved). What would be your recommendation how to lead, prepare for this. Please note my previous company was only 30 people and was straight forward. Now is 250, number of departments and needs to follow some Government framework. The Total blackout plan (week of no electricity). Please note our business would not suffer any damage from this downtime. Only couple of people after that period need to be able to communicate Any suggestions where to start with will be great.

  • Is Conformio for us?

    *** has several offices around the globe and has a total of around 1000 employees. If all offices will be within our scope, can we still use Conformio to get our objective?

  • Question about ISO-27001

    I'm writing to ask about the requirement for a remote-only organization to own an office space in order to become ISO-27001 certified. The question has been partially answered here: https://community.advisera.com/topic/certification-of-remote-companies/ The answer explicitly states that we should ask our CB, which we have done, but since they are not allowed to provide advice beyond what is necessary for the audit (to avoid conflict of interests, I assume), I was wondering if you could provide some additional guidance on this. Namely, whether the location to be audited has to comply with some minimum requirements in terms of size, amenities, equipment and others. 1 - Would it be acceptable to rent a bare office where no actual work happens? Wouldn't that mean that risks at the office location are being minimized or eliminated altogether and that the security control A.11 (physical and environmental security) becomes non-applicable? 2 - How does that compare to a rented room or desk in a co-working space? I understand that the answer may depend on the CB and/or the kind of business being audited, but some generic advice would already be helpful for us to know our options on this matte

  • ISO 27001 Risk Assessments

    When conducting an ISO 27001 risk assessment? Are the risks identified through the ISO 27001 controls themselves or are they just random risks that our business identifies?

  • EU GDPR & ISO 27001 Integrated Documentation Toolkit questions

    1. We have completed the GDPR Assessment (file 1.1) and most of the answers are negative since we have just started working on the GDPR as well. It's mentioned in the file itself that "If you answered, “No,” to some questions, it will indicate where you need to focus your compliance efforts." Does this mean that we have to first work on what is missing from the GDPR hence, turn the "no's" into "yes" and then proceed with the ISO documents (Requirements, ISMS Scope etc.)? Or is there a different process we should follow? 2. Once we finish the first draft(s) of our ISMS scope, we would like you to review it as part of the package services we have purchased together with the documentation. Is there a certain procedure we should follow? Given the fact that the Scope is the baseline for implementing ISO, we believe that it would be wise to ensure that our ISMS scope is reasonable and meets all the necessary features.
Page 45 of 544 pages