ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Procedures for suppliers to cover the control of External Providers

    I Have a question concerning my 22301Q2019 package

    I have two companies


    offers environmental technologies and specializes in the design and manufacture of Prefabricated Innovative Water Treatment and Wastewater System which incorporate innovative advanced solutions and are suitable for wastewater treatment for civil and industrial applications.

    Both use External providers- Supply chanin (such as technical services, drivers and trucks, externalwarehouses and engineers .

    Where in this package can i find procedures for suppliers to cover the control of External Providers

    8.1 Operational planning and control

    The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in 6.1, by:

    The organization shall ensure that outsourced processes and the supply chain are controlled.

  • Corrective action plan for audit observation for clause 8.1 of ISO 22301

    Good Morning 

    There is a External Audit observation (Minor Non conformance)  for clause 8.1 of ISO22301 with  following statement:

    There was no objective evidence of process plans identifying the process criteria and the controls implemented in accordance with the criteria.

    What is a corrective action plan for this audit observation.  How to close this minor non conformity (Any new document/procedure required) ??? Your prompt guidance/help on this matter is appreciated

  • Documenting mandatory documents for ISMS

    How to document mandatory documents for ISMS?

  • Compliance with monitoring and measurement requirement

    What would be the compliance with the monitoring and measurement requirement? Were they indicators?

  • Updating the Incident Management Procedure

    I am going to update the INCIDENT MANAGEMENT PROCEDURE according to our own company. I have some questions.

    It would be great if you could share some examples for different categories like security weakness or event and incidents. This way we can get a better understanding of each type.

    Should we include our maintenance window to this document to exclude from our SLA? I mean we use this document as a reference for SLA.

    Do you recommend any tool for handling incidents proper for small business?

  • Contingency planning 

    I have just some questions regarding Contingency planning 
    1-is contingency plan part of ISO22301 requirements?
    2-who should develop contingency plan and scenarios 
    4-is there any conflicts between having contingency plan is ready and ITDR project ?? I mean is it an obstacle for DR project if I do not have contingency pls
    N is ready 
    Finally, do u have a kit for crisis scenarios?  
    Thx a million 

  • How to exclude information in the definition of scope?

    We have purchased your „ISO 27001 Power Toolkit" and would need support. We, ***, offer our customers a SaaS solution. We are currently preparing for TISAX certification and are in the process of setting up the ISMS. TISAX is largely based on ISO 27001.

    Here is my question about the scope to be determined:

    Our headquarters are in the ***  with branches in various countries among others in ***. Only the branch based in *** should be certified and defined in the scope. The design and maintenance of the IaaS and SaaS is specified and executed by the *** headquarters, Therefore we want to treat this area (hosting) and thus its service lines as a supplier. The problem is that employees in our IT department in the *** branch take on maintenance and administrative tasks for the EMEA area of hosting. How can this be excluded in the definition of the scope?

  • Certificação ISO 27001

    quais os requisitos para certificar uma empresa do setor gráfico?

  • ISO 27001 certification

    what are the requirements to certify a company in the printing industry?

  • Is PII Information?

    Dear Dejan,

    I have a question for you if you can help me on this.

    Is customer PII considered as Information in ISO27001:2013 Standard?

    If yes then shouldn't monitoring of PII shared with vendors be mandatory and not dependent upon contractual agreement. Shouldn't this activity be not allowed to be excluded from contractual agreement?

    This question confuses me on allowing exclusions in ISMS

Page 5 of 428 pages