Guest
Please can i have some guidance on the assest list specifically thinking about vulnerabilities and threats: it is quite unclear whether we are talking about threats from or to the listed assests e.g. in terms of the building as an assest the threats options seem to point to a threat to the building whereas further down for instance third part contractors or suppliers seem to be talking about the threat from the third party.
be gratefull for any help
Question --> ISO 27001 ver 2013 has a "Business Continuity Procedure" listed as a mandatory document (clause A.17.1.2). However the Advisera Toolkit for ISO 27001 only contains 1 document in the "Business Continuity" folder (under General Policies) and it is a " Disaster Recovery Procedure" -- NOT a BC procedure ?? Since 'Business Continuity' and 'Disaster Recovery' are two separate contingency plans, is there another location in the Toolkit where the BC Procedure is located?
Thank you for your outstanding support.
Complementary question: This document is listed as a mandatory document in Advisera "List of Required Docs for ISO 27001 / 2013, but the only document included in the Toolkit under the "Business Continuity" folder is a "Disaster Recovery Procedure" ???
1- Why are confidentiality, availability, and integrity not considered in the Risk assessment? and how Conformio is addressing them.
2- Why is there no prioritization for actions in RTP? This should be identified based on the risk levels.
we only see a list but it's not based on the risks identified.
After purchasing ISO27001 templates and following your training it is not completely clear to me if ISO27001 obligates that nonconformities need to undergo a risk assessment / analysis and that this needs to be documented.
Can you clarify this? Thanks.
Our company has about 50 employees and we develop and manufacture a product with both software and hardware components.
Do we include in the scope document the back-office systems that are used for HR, Marketing, Sales, Finance (inc salaries), and CRM?
I would assume that our customers will not be interested in that but are rather focused on ISO 27001 referring to product-related-systems like R&D, Software development, Manufacturing. And also us protecting their medical information that might be stored on the device.
I frequently come across an article that I find extremely helpful, and now I would greatly appreciate your guidance on the following matter. Our organization has already implemented ISO 27001:2013, a new version has been introduced. Currently, I have a Statement of Applicability (SOA) that is based on 114 controls from ISO 27002:2013. My question is whether I should create a new SOA consisting of 93 controls in accordance with ISO 27002:2022, and subsequently make the necessary updates on my current SOA . Your advice and support in this matter would be greatly appreciated.
HI there, I have been qualified as a Lead Auditor on 2013 objectives, can 2013 objectives still active and organisation can be certified with that objectives?
Control A.8.12 DLP is relevant to us as Intellectual Property that's stored largely on Google Drive is one of our most important assets.
However, we do not have the budget to enable Google's DLP rules.
How do we explain this in our documentation in a way that we still pass the ISO 27001 audit?
I'm unclear on who should be signing the confidentiality statement. Should this be our employees, or our external clients and suppliers?
The tool shows ISO27001:2013 A.18.2.3 splitting between ISO27001:2022 A5.36 A8.8 when you convert it but the tool shows it subsuming into A8.8 when you convert 2013:A.12.6.1 (doesn't mention the split). Can you clarify? Thank you