ISO 27001 & 22301 - Expert Advice Community

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Form for the Risk acceptance

  • No conformidad e Incidente de seguridad de la información

  • BIA for communication department

  • What indicates a successful implementation of the ISO 27001

  • Identification of Requirements - level of detail?

    Hi I'm compiling my list of interested parties and their requirements for section 4.2 I have the list of legal/regulatory bodies etc which is very helpful, however I was wondering what level of detail I need to go into? For example, with the Data Protection Act, is it sufficient to include the general principles (e.g. "Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes."), or do I need to specifically include more specific requirements such as, e.g. "those involved in recruitment and selection are aware that data protection rules apply and that they must handle personal information with respect." It seems that if I go into that much detail, it becomes more of a control application than a scope document, so I'm not sure when to stop! Thanks
  • Obtain management support

  • ISO 27001 Lead Implementer / Lead Auditor

  • Technological vulnerabilities

  • Software developmnet within the company

    Our company sells software we develop ourselves. Development is done within a separate system and is managed by its own policies, procedures, and has its own set of (security) requirements. Do we need to include these policies, procedures and requirements into the ISMS? I prefer to exclude this from the ISMS scope, because we don’t use this software in our oown production environment and the  requirements are customer specific. Thanks.
  • Documents and procedures separately