Take the ISO 27001 course exam and get the
EU GDPR course exam for free

ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Control Effectiveness Report

     Last year we had a surveillance audit under the 2005 standard and at one point our auditor asked for a Control Effectiveness Report.  I was dumbfounded, I had no idea what he was talking about.  Have you heard of a report like this before, measuring the effectiveness of each control or control group?  Do you have any recommendations on how we could achieve such a report?
  • Time out and timed session

     I was wondering if you could clear up a question for me. I have a client that says for their users of their cloud based application they need both an inactivity time-out as well as a timed session time out to be compliant. Can you shed any light on this as its hard to determine what is actually required as opposed to recommended. 
  • Clause vs related control or vice-versa

     Is it possible for you to provide me with a guide re above subject? Basically, a table or an Excel file mapping Clauses vs Controls for ISO 27001:2013. Does such a thing exist?
  • Asset list and Certification Audit

     Should we share our asset list with them to ensure there are no duplicates across our asset lists. So they go ahead with the audit of assets on their list (i.e. the assets they manage and operate) and we continue with the surveillance audit of our asset list (i.e. the assets we manage and operate). Meaning we don't have to undergo end of year audit twice including all the documentation, records and controls implementation etc. In other words we as System Owners (of customer's systems who are the data and business owners) continue to be responsible for compliance.
  • Nomenclature recommended for control of the documentation

     I was wondering about the nomenclature recommended for taking control of the documentation.  Do you recommend any codification or code to implement in any project?
  • Risk Acceptance Criteria

    Our org is ISO 27001 certified. I want to design a Risk acceptance criteria policy and need help with that. Actually, a few control on risk contain high finance, so in this scenario how could we accept it by the approval of Mgmt?
  • Secure System Engineering Principles Document

    I do not see a Secure System Engineering Principles document.  Is it within another document?
  • Some questions about ISO 27001:2013

    ISO 27001 indicates to identify the risks owners (clause 6.1.2 c.2 ). what is the purpose of this clause? how do we determine the risk owners ?
  • Asset category

    My company is taking third party for maintaining the fire alarm, HVAC so in which category i can put those assets? whether in infrastructure asset or third party asset? please help me for this..
  • Risk related to our building

    I am still in risk assessment process, and there is a risk related to our building: water damage. This risk has high likelihood (since our building is built above a low level ground water, I mean: if we dig the ground for 2 meter depth, we can easily find water) and resulted in medium risk level. According to our organization's risk assessment policy, this risk level has to be mitigated. But somehow we can not find any feasible mitigation to respond to this risk, due to high cost investment. So, in times like this, what do will you suggest? My plan is to raise this issue to management and ask their approval to accept the risk.