ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Risk Assessment ISO 9001 Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit ISO Product: ISO 27001 Internal Auditor Course
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Identification of processes and activities

    Hello, I hope all is well with you guys. My question is about identifying processes and activities for BIA analysis. In the BIA form from Advisera, we analyze activities. For the purpose of the example, the activity "Call Center" was typed in. Have you ever considered identifying processes and activities according to the Process Classification Framework from APQC? In this 5-step classification, activity is a very detailed part of the process: Which one should I include in the BIA analysis? ISO is very vague in this regard with a vague division between process/activity/task. PCF gradation: 1 Category 1.1 Process Group 1.1.1 Process 1.1.1.1 Activity 1.1.1.1.1 Task Example of PCF gradation 6.0 Manage Customer Service 6.1 Develop customer care/customer service strategy 6.1.1 Define customer service requirements across the enterprise 6.1.2 Define customer service experience 6.1.3 Define and manage customer service channel strategy 6.1.4 Define customer service policies and procedures 6.1.5 Establish target service level for each customer segment 6.1.6 Define warranty offering 6.1.6.1 Determine and document warranty policies 6.1.6.2 Create and manage warranty rules/claim codes for products 6.1.6.3 Agree on warranty responsibilities with suppliers 6.1.6.4 Define warranty related offerings for customers 6.1.6.5 Communicate warranty policies and offerings 6.1.7 Develop recall strategy 6.2 Manage patient care outreach programs 6.2.1 Develop and implement patient care outreach programs 6.2.2 Monitor and evaluate outcomes of patient care outreach programs 6.2.3 Cycle outcome results into design of patient care outreach programs 6.2.4 Monitor participation and compliance with patient care outreach programs   What do you think about it? Kind regards, E.

  • Unable to edit the project plan

    If we implemented a project plan some time back,  lets say we want to tweak a new plan that is forward looking  - is that possible ? 

    The project wording in conformio that is unchangeable  seems to suggest that after an initial implementation project there is no ability to record or manage other discrete projects using the conformio wizard..  
    An example project item might be to enhance our monitoring capability

    Is it the case, that instead  of a future  project plan/s as such , the way forward for all mini projects  is to capture all tasks as part of corrective actions etc ?   i.e. the conformio project planning module is purely for initial implementation ? i.e not to cover post implementation exercises ? 

    Look forward to your response, so I can advise business senior management and the auditor accordingly

  • ISO 27001 Internal Auditor Exam - Expert Question

    Do you add or multiply to find risk? For the risk assessment to you add or multiply the impact and likelihood of risk? ISO 27001 under risk assessment the 3rd module called risk assessment it has a chart that has them added together and on the video he states they can be added or multiplied.  So I wanted to clarify, is it actually both if they ask on the exam?

  • ISO 27001 Suppliers relationships for small company

    As part of ISO 27001 Supplier relationships A.15 and specifically to supplier’s risk assessment, management has taken a decision that as a small-business size, the risk assessment for the critical suppliers will be performed mostly through an online audit for example, undertaking further research by checking Google, review website and social media pages and on extremely rare occasions, further steps like: asking for NDAs and/or providing awareness training will be actioned.

    In the light of the above, would that be sufficient in terms of ISO 27001 certification and can you recommend any tool or even resource that could assist us in audit suppliers online.

  • Information Security Policies and Procedures

    1 - Can you have a look at the document (for review proposes)? The document will be sent once you confirm. 2 - What do you recommend, shall I keep all Information Security policies and procedures in 1 document or shall I keep every policy in 1 document and the procedures in also in another document.

  • 27001 questions

    We are in the implementation stage of ISO27001 certification. Our commercial headquarters are located in ***. At the same time, our operation is developed in several regions. We have the following questions: 1 - What are the organizations where we could request the certification process in the US? 2 - Is it possible to develop audit processes with workers from various countries? 3 - Is it possible to carry out the certification with an entity in the US and for the audit and evidence process to occur in Spanish? If positive, we would love to know if you have had any experience under this modality. I say goodbye hoping that you can support us in answering these concerns. Thanks in advance for your guidance to streamline the implementation processes.

  • Annex A controls

    I am using your Toolkit to develop my ISO27K documentation. Crosschecking the Annex A controls and those referenced in the templates I noticed that some controls are missing. For example, the complete A.5 and A.6 are not referenced anywhere. As well as sub controls from A.9, A.11 (many), A.12. How shall I deal with them? If you like I can send you the whole list. Do they refer indirectly to the documents, or do I have to create new one’s from scratch? I am trying to compile the SOA but I can’t, due to the above.

  • ISO 27001 Documentation

    Do you have an asset tracking document format in your toolkit or available on your website?

  • Three-Year ISO Certification Cycle

    Hi, this is my first question here! Where exactly is it defined that ISO 27001 has a 3 year certificate to include Stage 1 & 2 audits along with annual Surveillance Reviews until its expiration? I'm still trying to wrap my head around Certification Bodies. Thank you.

  • Conformio Risk Register

    I noticed that the risk register within Confirmio is built with asset-focused method of doing risk assessment (as per version 27001:2005). However, with version of 27001:2013, the risk assessment method is using information-focused (6.1.2.c.1).

    My question is do you have a risk register module that follows information-focused approach?
Page 47 of 544 pages