Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

ISO 27001 & 22301 - Expert Advice Community

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Risk Assessment vs Incident Management

    We've received the following questions: 1. I would like to know difference between Risk Assessment and Incident Management 2. During risk assessment, we consider Disaster as risk, how can it become incident later, even it identified earlier Answers: 1) Risk assessment is a process where you try to identify all the potential security breaches that might happen in the future. Incidents are the risks that have materialized, i.e. the real breaches that have happened; incident management is a process for managing incidents. 2) Disaster itself is not a risk, it is a threat; it can become an incident if you didn't implement all the security controls to prevent such an incident.
  • Exclusion of controls

     Which controls from Annex A can be excluded, if my organization:
  • Communication Plan and Corrective Actions

     
  • Get qualifications

     We have 3 IT personnel within the Agency IT Department and as we have implemented the ISO 27001 standard a few years back after an IT audit we would like information on how to proceed to get qualifications within this area – Any advice on this area and what training path to take would be much appreciated –
  • Security Compliance Management

    I thing, that Annex A from 27K1 , part 18 Security Compliance Management  is missing in your toolkit or ….. I can’t find it. This part is necessary for successful certification.
  • Differences between third party and suppliers

     Can you confirm what the differences are (if any) in regards to third parties and suppliers (vendors) In respect to Third party agreement vs. supplier relationships - I’m thinking none, is it just a case of terminology??
  • The owner of the ISO 27001 has been changed to a new departmanet

    I do have one critical question, in our organization we already certified on iso27001:2005 under the owner of one department. The organization established new GRC function(department) and one role is to own and manage the iso 27001 certification. Is the certification will be voided if the owner of the iso 27001 has been changed to the new department (the two department are under the same organization)
  • Information Security Objectives

    Hi friends, Based in ISO 27001:2013, "Information Security Objectives" is referred to 'confidentiality', 'integrity', 'availability', 'non-repudiation', and so on...? Is it true? Additional, How to measure it? And, how would be the plan or framework to achieve them?? Thank you Best regards
  • ISO 27001 and ISO 20000

     
  • Methodology for the risk assessment & treatment