Get a 20% discount on the first year of the Company Training Academy annual plan.
Limited-time offer – ends April 24, 2025
Use promo code:
CTA20

ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 9001:2015 ISO27001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk Acceptance Criteria

    Our org is ISO 27001 certified. I want to design a Risk acceptance criteria policy and need help with that. Actually, a few control on risk contain high finance, so in this scenario how could we accept it by the approval of Mgmt?

  • Secure System Engineering Principles Document

    I do not see a Secure System Engineering Principles document.  Is it within another document?

  • Some questions about ISO 27001:2013

    ISO 27001 indicates to identify the risks owners (clause 6.1.2 c.2 ). what is the purpose of this clause? how do we determine the risk owners ?

  • Asset category

    My company is taking third party for maintaining the fire alarm, HVAC so in which category i can put those assets? whether in infrastructure asset or third party asset? please help me for this..

  • Risk related to our building

    I am still in risk assessment process, and there is a risk related to our building: water damage. This risk has high likelihood (since our building is built above a low level ground water, I mean: if we dig the ground for 2 meter depth, we can easily find water) and resulted in medium risk level. According to our organization's risk assessment policy, this risk level has to be mitigated. But somehow we can not find any feasible mitigation to respond to this risk, due to high cost investment. So, in times like this, what do will you suggest? My plan is to raise this issue to management and ask their approval to accept the risk.

  • Internal and External Issues

    I'm starting to implement the ISMS, regarding the scope, I read a blog article (Explanation of ISO 27001: 2013 clause 4.1) and noticed I have to determine the internal and external issues. I define roles and responsibilities of all employees of the organization or just those involved in information security. And is there any recommendation for this, for example a list containing the name, job title, responsibility? 

  • Third Party SLA for out-of-scope Systems

    Hello Dejan, We are currently ISO 27001 certified and the ISMS scope also includes our customers' systems (hosted at customer's premises as well as outside customer's premises). The same customer has also initiated their ISO 27001 Compliance initiative with the scope of "All IT Services". Now in this case to avoid duplicated ISO audits and remediation, what is the possible way forward. Should we share our asset list with them to ensure there are no duplicates across our asset lists. So they go ahead with the audit of assets on their list (i.e. the assets they manage and operate) and we continue with the surveillance audit of our asset list (i.e. the assets we manage and operate). Meaning we don't have to undergo end of year audit twice including all the documentation, records and controls implementation etc. In other words we as System Owners (of customer's systems who are the data and business owners) continue to be responsible for compliance. Also is it possible to develop an SLA between us in such a way that customer's ISO auditors do not carry out an exhaustive audit of our assets. For e.g. can we include the statement in the SLA that the service provider (i.e. us) is ISO 27001 certified and hence we avoid the duplication. We, as service provider, can always produce information to demonstrate compliance though. With the above approach, the customer would still be able to identify themselves as ISO certified. Please advise. Regards.

  • Risk Assessment Toolkit

    I need help with your risk assessment tool kit. do it have Questions related to risk controls in Annex. e.g if i do risk assessment on any Application, do your kit have question to ask to Application owner ?

  • Implementation Checklist

     I do hope you are fine. I get stucked again and I need your assistance. After going through risk assesment, I'm able to come up with some master listb of documents like business continuity plan, backup testing plan, access control policy, etc. I want to implement the listed documents but I don't understand what shall I do since I'm not implementing it in real scenario. I'm just implementing it on paper, like having a case study and trying to develop the ISMS just to assess my understanding of ISO27001. Hope my question is clear.

  • Information Security Policy

    What is the difference between the clause 5.2 and A.5.1.1 and A.5.1.2 controls?
Page 505 of 544 pages