Get a 20% discount on the first year of the Company Training Academy annual plan.
Limited-time offer – ends April 24, 2025
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk assessment question
I need some information about 3rd party risk assessment. We are small business preparing for ISO27001. I need to know how to fill the questionnaire of the 3rd party risk assessment? I want to know how to use other registers which is mandatory in ISO 27001. In addition, I don’t know how to make the SOA. -
Establishment of the scope of the ISMS ISO 27001:2013
Good morning , Could you help me with a practical guide and/or examples to help me establish the scope of my Information Security Management System (ISMS) and comply with ISO 27001:2013. What considerations should I take into account to establish the scope of the ISMS? I give a context of My Organization: My Company has a Mixed Operations model: Employees in telecommuting mode and some employees in a Physical office and we occasionally rent a Coworking for meetings or for some group activities and/or meetings with clients. In the short term we will only have Telecommuting Employees and we will deliver the Physical Office All our application servers are in the cloud (we have a private cloud) we use Microsoft Office 365 and google gsuite, zoom. Employees from software development, designers, analysts and data scientists connect via VPN to the private cloud and each have a virtualized Windows 10 computer for their work. Salespeople do not connect via vpn to the private cloud, they only use web applications (Office 365, google gsuite, zoom, crm). The accounting area is connected by remote desktop to its own server in the private cloud of It is an RDP server (Remote Desktop server) They (commercial and administrative area) are assigned a company team. Developers, designers, analysts are normally allowed to work from their own personal computer but only to connect via vpn to the cloud. Very few have asked the company to assign them a team for telecommuting. We have a task that weekly downloads the backups of our main virtual servers and the virtual teams of the developers that are in the cloud to a storage server that is in our physical office. Our servers are in a datacenter that has ISO 27001:2013 certification In the physical office we have 4 servers but they are only for backup storage and for tests. -
Management of change
Ηello, How are you? Ι have bought ISO 22301:2019 kit Recently I had an observation, during the external audit for certification: “ISO22301 6.2.3 Not all recognized criteria for the implementation of the Change Management Process for the ISO22301 standard have been recorded.” Where in the ISO 22301 kit can I find information or a procedure for Change Management, to close the observation in order not to become non-conformity; Thank you in advance -
Risk Register question
On the other hand, and still in reference to the Risk Register, we question if it is reasonable to consider the 'vulnerability' weak password in the Asset-Human Resources (top management, employees, etc.), rather than in the more obvious Asset-IT and communication equipment (desktop computers, mobile devices, etc.)? This, in the sense that our people set their passwords, are expected to comply with the password construction guidelines/Password Policy; and at the end, it can be through their following of the rules that this can be assessed. We are not certain if this approach makes sense, is viable. -
Inquiry about the following ISO27001 controls
Background: No of employees: ~ *** employees Scope for ISO certification (*** sites): Site A: 5 employees, CxO, few tech people, with Physical office shared with *** parent company Site B: ~ 35 employees, Operations (Developers, cybersecurity, Cloud support) , no physical office (***). Working environment: 80% of the time site 1 personnel are working remotely, while site 2 employees are 100% working remotely. Can you please provide some guidelines on the following scenarios? 1. Physical office security for site 1: Given the scenario above, is it possible to treat the site 1 office as out-of-scope? The existing security controls of the office does not fully conform with the standard and our personnel cannot make major change in the office security since they are only sitting with our Parent company’s office. In terms of risk associated with the physical security, we assess that it is minimal since most of the time, our personnel are working remotely (80% of the time) anyway. The security will be enhanced on the personnel itself (awareness), their system accesses (policy, access rights and reviews, the likes), and in their user laptops (endpoint security such as anti-malware, DLP agent). 2. In site 2, our HR, Recruitment, and IT (laptop, user peripherals, purchasing of these equipment) service are provided by our Parent company (shared among some of its subsidiary companies). Are they still considered as supplier of the services and will be required by the standard to comply with the applicable 3rd party controls (NDA, contracts, etc.)? We do not have such contract established with our parent company. The personnel of the aforementioned teams only access “internal” classified data such as employee info, payroll, and the likes. -
how close treatments
how do you close risk treatments -
A.7.9 Clause
Thank you for the amazing conversion tool from ISO 27001 2013 to 2022 Please can you assist me with the 2022 Clause for A.7.9. as I cannot seem to find a reference either in the conversions or the new controls -
Non conformities - entering corrective actions
When attempting to enter new non conformities I am unable to enter the data against responsibilities , corrections, corrective action, review. Where in the process do I get an opportunity to enter data against these field items -
New implementation: ISO 27001:2013 + ISO 27002:2022
Hi iso people. I'm in a middle of ISO 27001:2013 implementation. I'm just finishing chapter 9. Now I've read ISO 27002:2022 and I would like to implement the new controls instead of Annex from ISO 27001:2013. Will that get me in trouble if I write that we've decided to use the new set of controls and excluded Annex from 2013 completely? -
Conformio question
I have a question - should I and can I write specific assets in Conformio i.e. in case of asset "Operating systems" do we use Operating systems or do we write Windows operating system and make this more specific?