Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:

ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Device asset tracking

    I have been involved with ISO27001 accreditation in my previous role. My main question was around the device asset tracking. For an asset, is the serial number an accepted method of identifiable name for a device?
  • Creating, reviewing, and approving documents

    Who shall create, review, and approve documents (i.e., policies and procedures) for ISO 27001? The practice in our organizations is that all Corporate Service Unit Heads that would be affected by the documents need to sign will be "Endorsers" for the documents. I would like to propose that they minimize number of approvers. But I need justification for the proposal. I just need a justification for reducing number of signatories for the documents so that the routing would be lessen. I mean the governance team would be the signatories instead of a lot in the list.
  • Extension of scope by adding location where part of the controls are executed by our sister organization

    We want to add a subsidiary location to the scope of our ISMS. The risk picture is virtually identical, and they can therefore adopt the policies of our ISMS. The challenge is that their IT landscape is managed by our ISO 27001 certified sister organization. This means that, for example, incident management and patch management are performed by the sister, with deviating policies. Is it sufficient for expanding the certification to include exceptions in our policies by referring to the policies of our sister organisation and rely on their ISO 27001 certification? Or do we need to perform additional steps for succesfull certification?
  • Risk re-evaluation processes Risk Treatment and Annex A controls

    If you could help me with this question about documenting Risk re-evaluation processes Risk Treatment with ISO certified SOA already in place: Is it mandatory to document the mapping process in other words choose the Annex A controls to the relevant risks in the 05.2_Appendix_2_Risk_Treatment_Table, from the drop down menu or is it enough that applicable controls are determined [necessary to implement, 6.1.3.b)] and compared [with Annex, A 6.1.3. c)] only in the SOA? I’m conducting risk re-evaluation and if any new controls are applicable, I believe I’m able to spot them and write them straight to SOA without mapping all the controls beforehand in RT Table.
  • Document editing

    It is the IT Security policy I am working on. We are a fully remote working organisation so I have included the remote teleworking activities because that is where we all work. We do not have any offices. WE also do not have any paper based information The IT Security policy takes the position that an organisation has offices and staff may need to work remotely/teleworking. For example, section 3.12 We do not have any paper or paper storage Or 3.12.3 We don’t have offices so protection of shared facilites and equipments never arises Or 3.1.7 Teleworking We all work remotely so does not need to be authorized as remote/teleworking is part of our employment contract.
  • Question about toolkit

    I have many questions The document template included in the documentation toolkit is it the all documents should I write and conduct I am confused about conduct the documentation I intend to start the project with implement and conduct the key stages of iso 27001 PDCA FOUR PHASES WITH risk assessment is it right and this approach can be suitable to use as a milestone for the project What is the difference between the mandatory documentation and non mandatory documentation and if I decided to select concept PDCA I still need to write the mandatory documentation since the four phases of this concept with risk assessment I think cover all or most of mandatory documentation if you understand me correctly Iam right
  • Registering users

    as per iso who register users in information system IT people or owner of the information asset (business)
  • ISO 27001 Internal Auditor Certification

    1 - I would like to do the ISO 27001 Internal Auditor Certification from Advisera, however, I would like to know whether the certification exam will be based on ISO 27001:2013 or ISO 27001:2022 or both. 2 - Also, we will be facing our 1st surveillance audit on June 13, 2022, my question is whether the newly added security controls will be checked by the auditor or it will be based on ISO 27001:2013 only.
  • Toolkit content

    Before purchasing the toolkit, I sent many email to you to ensure the toolkit include all document and template that I need to implement ISO 27001 AND ISO 22301 BUT When I received the toolkit I searched for the document or template for clauses from 4 to 10 and annex a but I did not find either clauses or annex a please can you explain that.
  • Implementation controls

    As part of buying the official ISO 27001 standard (We already know you do not sell it), must we buy also the Implementation controls or just the requirements? We would appreciate your quick answer.
Page 5 of 495 pages