Learn in small groups from top experts and real-life examples

ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Responsibility for identification of requirements

    About "Procedure for Identification of Requirements" - who usualy in small companies is responsible for Identification of requirements and interested parties - COO, or CISO, or someone else?
  • Benefit of perfoming BIA for a single department

    Could you please tell me the benefit of performing BIA for single department using documentation template? I'm trying to perform BIA for all department but some area cannot be covered in the new sheet.
  • Statement of Applicability/Annex A Documents

    Currently I am working on the Statement_of_Applicability document to properly fill out the different sections, and more specifically A.15 Supplier relationships area. In the Scope document, we specifically excluded suppliers for the initial certification process, but we fully intend to revist that process at a later date. Knowing that "Suppliers" are excluded from the scope, how would we specifically approach Internet Service Provider, Firewall Management Vendor, service agreement vendors, point to point network connectivity services to our DR and satelite office in another city? Would we exclude these external services/outsourced processes, or include them but specifically include the particular vendors for Information Services, as this is our main focus for the initial certification. Suppliers to a container shipping company, such as ourselves, would include any equipment, supplies, maintenance products for our vessels and offices aquisitioned through our co rporate purchasing department or overseas in various ports around the world, so I wanted to see if and where would be the line drawn in the preverbial "sand". Thanks in advance for the assistance.
  • List of legal regulatory and contractual requirements

    List of legal regulatory and contractual requirements, should be for all organization or just security function? Or IT AND SECURITY?
  • Risk identification

    Hello, When identifying risks, do we have to take into account those risks that are obvious and are already solved? Like for example: - electricity cut, if the organization has already a generator and it enters in activity automatically? - disk back up if it connects automatically? - internet cut, if we have a two providers and when one has problems we use the other one?
  • Steering committes for a smaller company

    Is it ok to combine the ismc (info sec mgmt committee) with the itsc (IT steering committee) in one doc as the company is small?
  • 7 2 2 labeling and handling

    Dear dejan, for the documents and the assets (laptops, printers faxes etc) have to be labeled physically ? I mean do I have to type a label and stick on the assets that they are confidential? Thank you so much for your guidence
  • Criteria of IT company ISO certification

    Can you tell me the criteria of IT company ISO certification.
  • General impacts

    Hello Dejan, The perspectives (reputation, client´s reaction, backlog,etc) in the BIA questionnaire (section 3) have the same weight? I mean, let´s suppose that i have high impact at 4 hours to "How difficult will it be to catch up on the backlog of work", but to the others i have only marginal or acceptable impact. It´s enough to identify MTPD?
  • RTO for IT System

    Hello Dejan, If i have a system (ex: SAP) that support two process with different RTO, how i can define which RTO is applicable to my system? I need identify the criticality of my process first?