ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • 7 2 2 labeling and handling

    Dear dejan, for the documents and the assets (laptops, printers faxes etc) have to be labeled physically ? I mean do I have to type a label and stick on the assets that they are confidential? Thank you so much for your guidence
  • Criteria of IT company ISO certification

    Can you tell me the criteria of IT company ISO certification.
  • General impacts

    Hello Dejan, The perspectives (reputation, client´s reaction, backlog,etc) in the BIA questionnaire (section 3) have the same weight? I mean, let´s suppose that i have high impact at 4 hours to "How difficult will it be to catch up on the backlog of work", but to the others i have only marginal or acceptable impact. It´s enough to identify MTPD?
  • RTO for IT System

    Hello Dejan, If i have a system (ex: SAP) that support two process with different RTO, how i can define which RTO is applicable to my system? I need identify the criticality of my process first?
  • ISO training evidence

    Are there any templates for ISO Training evidences which we have to show to the Auditor in stage 2?
  • Query pertinent to mapping controls of the revised standard to the old standard

    Hi I have a query pertinent to mapping few controls of the revised standard to the old standard. On understanding the relevant sections, I find that: #9.2.3 Management of privileged access rights does NOT appropriately map to #11.2.3 User password management as given in the mapping document of the revised standard. The two sections are not in sync to be mapped on a one-to-one basis. #9.2.4 Management of secret authentication information of users does NOT appropriately map to #11.2.4 Review of user access rights as given in the mapping document of the revised standard. Again, the two sections are not in sync to be mapped on a one-to-one basis. Please help me clarify my understanding.
  • Will ISO22301 become more important with the transistion to ISO27001:2013 ?

    I would be interested in peoples view on this as it seems that 27001:2013 has watered down the controls for BC and DR and therefore may not meet some organisations requirements in these areas?
  • Disruption or Disaster?

    Which criteria i can use in my DRP Plan to identifiy if a event is a disruption or disaster? I mean, define criteria to activate or not my DRP.
  • Definition of Physical and Tehnical security and responsibilities

    Glad I am join to this community. Here is my question: What is your definition of Physical and Tehnical security? What are areas which belongs to Physical and Technical security? How Financial institution should organise those security areas? I have not found specific definition, also I am not sure how responsibility should be delegated between CISO, CIO, Tehnical department... Physical access control, alarm central, antifire control, money transfer, UPS...Does it belongs to Physical or Tehnical security? Who is responsible?
  • Difference between plans

    Hello Dejan, What are the main difference between the business continuity plan, Incident response plan and recovery plans in your toolkit? For my DRP (IT Recovery), what are the more appropriate?