Get a 20% discount on the first year of the Company Training Academy annual plan.
Limited-time offer – ends April 24, 2025
Use promo code:
CTA20

ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 9001:2015 ISO27001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISMS scope

    Hope you are doing well. This is ***, one of the participants during the yesterday’s webinar - ISO 27001/ISO 22301: The certification process. At this point I would like to express my great thanks and appreciation to you, because without your free ISO27001 courses and free webinars I wouldn't be right now in my company's ISO27001 project team. The reason I'm writing to you now is because I'd like to hear your input on a discussion I had just 2 days during our ISO 27001 Implementation meeting here in the company where I work. Based on the defined ISMS scope , primarily we need to prepare for now, only the IT Department for ISO27001 certification. (Afterwards we shall continue with other departments, currently the urgent need is the IT, where I ' m also a member of as a system/network/security engineer). The project team consists of 6 people. Yesterday during the discussion, all other 5 members were insisting that there is no need to cover any section from ISO 27001 – Annex A.7: Human Resource Security, while me, from the other hand I was trying to convince them that yes, definitely we need to cover this control not only because is part of the Annex A but because is directly related with IT areas as well. It was impossible to convince them, they still insist that the ISMS scope and the certification goal is the IT, not the HR. And now I'm wondering, indeed they are right and I'm wrong?  I'm really confused and for sure i do not want to make any bad impression just from the very first beginnings. Your insights are valuable, and your assistance/guidance as always are greatly meaningful to me dear Dejan. Thank you.

  • ISO 27001 Enquiry

    Consider the following Scenario, Organization A engages a vendor for its SAAS services to manage System A. System A is not an on premise SAAS system and is managed by the vendor which is currently ISO 27001 certified. If Organization A wishes to obtain ISO 27001 certification for System A, will Organization A be exempt from certain clauses in the ISO 27001 standard that are managed by the vendor? For example, physical security and encryption controls. In summary, I would like to gain a better understanding on how to go about preparing my organization for ISO certification for systems which are off premise SAAS solutions managed by an ISO certified third party vendor.

  • Questions about Conformio

    1 - Of the items listed as mandatory for 27001, do they all have to be in place at stage 1 or is it okay to have a select listing completed and others WIP? 2 - Also, could you give me an indication of the costs involved with Conformio please? Does Conformio only cover 27001 or does it cover other standards as well? I am currently responsible for the compliance and regulatory affairs of 2 companies whom I have taken through ISO13485, and I manage and maintain both their QMS arrangements, audits, NC’s, suppliers etc. 3 - I am currently seeking to add 27001 certification for both and have a project team in place to identify where the existing QMS requires additional items to be ready for 27001 – currently doing risk threat analysis and controls id to enable completion Statement of Applicability – I will be using the same compliance company as we do for 13485 and have provisionally booked stage 1 for September – additionally, one business creates non-medical digital assets in addition to medical devices, so am seeking 9001 there also. Pretty full on as you can imagine. BSI are constantly mailing me pushing their Compliance navigator tool, but I think we are too small (70 people between both) and would use too little to justify the costs they’re quoting – is Conformio a similar tool? 4 - Also, would you have or have knowledge of anywhere that I might be able to find a regulatory roadmap for medical devices across different regions? ( Seems to be a bit of a minefield and each country seems to have regulations relating to clinical risk management etc in place which must be met in addition to MDR etc). Sorry for early morning brain dump -hopefully makes sense.

  • DR/BCP career

    I currently have my CBCP. I am looking to further my DR/BCP career with ISO certifications. Which one(s) is/are best for me?

  • Question on Stakeholder Requirements for ISMS ISO 27001:2013

    1 - In the survey of Stakeholders for my ISMS, in what scenario may some suppliers have requirements that must be considered for the ISMS? Are requirements that they must meet for my organization regarding Information security or are their requirements that my company must meet with them in aspects of Information security? Currently my providers are: Microsoft (Azure + Office 365) Amazon (cloud services) Google (Corporate email) Zoom (Videoconference) Spamexperts (SMTP Relay) Turbo SMTP (SMTP Relay) Sophos (Antivirus licenses) A Provider of the data center of my private cloud An Internet access Provider in my physical Office. A Software Development Provider. A Provider of maintenance and support of User equipment A maintenance and support provider for my virtual servers A Provider that provides information security consulting services With Microsoft, Google, Amazon, Zoom, Sophos, a contract is not managed, I simply buy and pay for the service online. 2 - Could you give me some examples of possible requirements these providers have regarding the ISMS that I want to implement? 3 - What considerations should I take into account regarding these suppliers in my ISMS?

  • ISO Control 15.2.2 Extended Support Request

    Hello Advisera Team, We are currently preparing for our upcoming ISO assessment and wanted to reach out for some guidance on ISO Control 15.2.2 which is copied below.   What would be the specifics that would be used for evidence to show that our organization is meeting this requirement?  The bullets below highlight what our current process is and our associates would be able to speak to this, however there is no real documented procedure. •  During contract negotiations third parties are asked to make ***aware of any relationship changes so a reassessment can be done. •  Any significant changes with a third party will go through an IT change management process. •  If changes occur to the type of data being exchanged to include sensitive data our scheduling team will bring awareness. •  Periodic reassessments of third parties are completed by ***. “Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.” Please let me know if you need further clarification on the above items.

  • ISO 27001 Clause 9.2

    for ISO 27001, clause 9.2, do you need an internal audit function or can it be named something else? such as risk review? My organization does external financial audits but a client is asking for us to assist with their "internal audit" function of 9.2. However we cannot do internal audits only risk reviews.

  • Framework question

    One question to your framework. I have got a long agenda for the certification meeting. This is just a part of it: Top management •    Organizational context and needs and expectations of interested parties (4.1, 4.2) •    Strategic direction, policies (5.2) & objectives (6.2) •    Involvement and commitment from top management with respect to the management system (5.1) •    Roles, responsibilities, and authorities (5.3) •    Provision of resources (7.1) •    Human resource security (A7) •    Communications (internal/external) (7.4) •    Continual improvement (10.2) •    Performance evaluation (9.1) •    Management review (9.3) I have documented all the Annex A, but where is all the requirement like 4.1, 4.2 documented in your framework?

  • How to record external issues (not legal or contractual) in Conformio

    In the Conformio ‘Register of requirements’ it is possible to add requirements of types ‘Contractual Agreement’ or ‘Legal/regulatory requirement’, but not any other external/internal issues as stated in ISO 27001. Our organization for example has an office in Ukraine and we would like to add an availability requirement regarding the people and company infrastructure there. How should we record that requirement in Conformio?

  • Approving Residual Risk in Conformio

    Can you please advise if we should click the "Approve Residual Risk" during the final(Approval) phase of filling up the Risk Register module, even if all the identified "Risk Treatment Controls" items are not yet in place or implemented?
Page 50 of 544 pages