Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 Suppliers relationships for small company
As part of ISO 27001 Supplier relationships A.15 and specifically to supplier’s risk assessment, management has taken a decision that as a small-business size, the risk assessment for the critical suppliers will be performed mostly through an online audit for example, undertaking further research by checking Google, review website and social media pages and on extremely rare occasions, further steps like: asking for NDAs and/or providing awareness training will be actioned.
In the light of the above, would that be sufficient in terms of ISO 27001 certification and can you recommend any tool or even resource that could assist us in audit suppliers online.
-
Information Security Policies and Procedures
1 - Can you have a look at the document (for review proposes)? The document will be sent once you confirm. 2 - What do you recommend, shall I keep all Information Security policies and procedures in 1 document or shall I keep every policy in 1 document and the procedures in also in another document. -
27001 questions
We are in the implementation stage of ISO27001 certification. Our commercial headquarters are located in ***. At the same time, our operation is developed in several regions. We have the following questions: 1 - What are the organizations where we could request the certification process in the US? 2 - Is it possible to develop audit processes with workers from various countries? 3 - Is it possible to carry out the certification with an entity in the US and for the audit and evidence process to occur in Spanish? If positive, we would love to know if you have had any experience under this modality. I say goodbye hoping that you can support us in answering these concerns. Thanks in advance for your guidance to streamline the implementation processes. -
Annex A controls
I am using your Toolkit to develop my ISO27K documentation. Crosschecking the Annex A controls and those referenced in the templates I noticed that some controls are missing. For example, the complete A.5 and A.6 are not referenced anywhere. As well as sub controls from A.9, A.11 (many), A.12. How shall I deal with them? If you like I can send you the whole list. Do they refer indirectly to the documents, or do I have to create new one’s from scratch? I am trying to compile the SOA but I can’t, due to the above. -
ISO 27001 Documentation
Do you have an asset tracking document format in your toolkit or available on your website? -
Three-Year ISO Certification Cycle
Hi, this is my first question here! Where exactly is it defined that ISO 27001 has a 3 year certificate to include Stage 1 & 2 audits along with annual Surveillance Reviews until its expiration? I'm still trying to wrap my head around Certification Bodies. Thank you. -
Conformio Risk Register
I noticed that the risk register within Confirmio is built with asset-focused method of doing risk assessment (as per version 27001:2005). However, with version of 27001:2013, the risk assessment method is using information-focused (6.1.2.c.1).
My question is do you have a risk register module that follows information-focused approach?
-
Query on Business Continuity Plan
A query regarding the Business Continuity Plan. in document A.17.4 literal 3.4 it indicates: "The Disaster Recovery Plan and the recovery plans for particular activities are activated exclusively by decision of the Crisis Manager, when he assesses whether a certain activity will remain interrupted for a period greater than the recovery time objective for that activity. " Does this mean that the DRP will be activated as long as the incident exceeds the established RTO time? -
Enterprise Account for Security Awareness Programs
thanks a lot for your eMails (I´m also registered under ***), but I´m writing you from my companys eMail now. You maybe don`t remember me, but we are being in contact in Year 2016, as I was implementing ISO 27001 for a customer in ***. At that time, I`ve bought (acquired) the “ISO 27001 Toolkit” from you and it`s was really very helpful. If you remember, I also bought later your EU-DSGVO Toolkit (2017). Since 20198 I´m become Freelancer for Compliant & Information Security and I´m very happy for that, because I`m being very successful the whole time. Now, I`m starting a project for a different German customer to implement Business Continuity Management, according to ISO 22301. What I need to know it is, if your ISO 22301 Toolkit much more different is to the content comparing to the ISMS one. This is the content of my ISO 27001 Toolkit:
I need your answer as an expert, but not as a commercial vendor, then I need to know if I´ll received value added if I buy your ISO 22301 Toolkit for my actually project.
Please let me know, from expert to expert, if this make sense for me or not. If you told me it`s make really sense and will helpful for me to implement the BCM project, then I`ll make an order to you. Perhaps, you`ll remember me as a client and you`ll make me a special offer for this BCM-Toolkit.
I really appreciate an expert answer from you.
-
ISMS implementation
At the moment, my questions regarding ISO implementation are: · In document 2.1 it asks for requirements. It is not clear to me how to identify those requirements. Can we link them to controls from the Annex? · For the ISMS Scope: we want to certify only our location in Belgium and we were advised by certification bodies to not mention our second location in Poland at all. However, our processes happen regardless of the location and part of them happens in Poland. Can we (and how) exclude Poland from the ISMS while keeping the processes? · Given that it's the first time we implement ISO in aug.e, what are the steps we should follow regarding filling in the documents? It seems to us that we will have to go back and forth in a way that will be quite confusing. I couldn't find any relevant information in the Advisera courses.