ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Auditor findings - Opportunities for improvement

    The final auditors report has a lot of comments known as Opportunity of improvement (OFI) some are makes since and some are not to us. One of my advisers told me that, if I didn't do anything regarding these OFI the auditor will raise theme as minor NC in the next visit, is that true and I have to do something?    
  • Master list of documents

    I've received this question:
    After risk assessment and treatment, I come to find out that there is something called masterlist of documents. I would like to know much about it please. I am not clear about that.
    Master list of documents is not a mandatory document, but it can be very useful for the Internal and External auditors, because they can identify what the organization has.
    The main objective of the master list is that the organization knows which documents exists in the ISMS. So, you need to identify all documents of your ISMS and then include it in the master list. For each document list the name, you can also include the person responsible, number of version and date of last change.
    If you need to know the list of mandatory documents of the ISO 27001:2013, I recommend you this article “List of mandatory documents required by ISO 27001 (2013 revision)”:
  • Use of secret authentication information

    I have a query on one of the controls in the Annex i.e.. Use of secret authentication information  (9.3.1). If the entity opts for the control, what is expected to be maintained as Policy / Procedure and the evidences?
  • Controls A.9.3.1 and A.11.2.8

    I have questions regarding the following controls: A.9.3.1 and A.11.2.8 - I do not know in which cases can use them.
  • NonConformities and Potential Imrovements

    Hello, We are now in the course of updating our ISMS documents to comply with the new version of ISO 27001:2013, and I need a help regarding the corrective action procedure: In our current procedure, we are managing both non conformities and potential improvements, and according to the new version, the potential non confromity and preventive action are no more required, so how can we manage the potential improvements raised by employees or raised during the internal audit for example?
  • Differences in BCM 2005 and 2013 revision of ISO 27001

    How must you update an integrated management system based on ISO27001 from 2005 to 2013 version when you have a BCM implemented, have you specific guiedance for it you can share with me?
  • Using scales for calculating risk

    If you are using scale (say 1 to 5 FOR IMPACT AND LlKELYHOOD) then computing Risk is easy by adding I + L or multiplying. But if you are using scale as medium, High and Low how you will compute Risk? Looking forward for your guidance.
  • Pandemic - BCP scenario

    Our organization was once being asked by one of our clients if we address the specific loss of staff, such as that which may result from a pandemic. I am in the process of reviewing our organization's BCP and my question is: What could be the justification to add or include any scenario to our BCP? Since There will be many/unlimited possible available scenarios to be added to BCP.
  • ISO 27001 measurement

    I was considering the measurement and effectiveness bit of the ISO 27001:2013 standard and i am having problems wrapping my head around it. Kindly advice on the best way to prepare a document for the external auditors on what needs to be measured and how to measure it or if possible a sample template i can work with.
  • Incident Log

    Who should update the incident log?