Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

ISO 27001 & 22301 - Expert Advice Community

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Is it an NC

    Hi Experts, I have a doubt on a situation, if NC can be given or not. An outsourcing company which provides training to other companies receives new contract of training every year. This contract contains list of student who will attend training. So, during audit, you find a requirement from customer that student information should be protected as per Govt. Procedure 888. The contract manager says, he does not know about Govt. procedure 888, and only read student names to be trained. All previous year contracts does not have this Govt. Procedure 888 requirement. Apparently, they do have their own procedure to protect student information.   Now, I say it is an NC as per 4.2(b), that they failed to identify contract requirement. As per my mate, it is not an NC, as they still have their own procedure to protect student information.   What is your view on this.   Thanks Prashsax
  • 27001 Scope

    « My organisation cut across 4 primary physical locations. For the purpose of our isms, we have include only two locations. My challenge is that I have departments with teams cut across the 4 locations. The teams don't have duplicating functions but they all input into each other. Hence how can I successfully de-scope such units." 
  • ISO 27001 / Planned intervals

    Hi , can anyone please explain : Planned internals ? Shall I plan for example the management review : every year , every 6 months ? Because it is hardly possible , They are busy people and I meet them when possible planned dates that can be advanced or delayed , it depends on their availability.
  • Context and scope of the ISMS / ISO 27001 v 2013

    Hi everyone , I'm preparing the migration from v 2005 to v 2013 and I'm a bit lost on what should I put in the context and scope document . Shall I leave the old scope and add what is needed in 4.3 ? Also I couldn't realy what is needed in the 4.3 (4.2 and 4.1) .   Many Thanks,
  • On-line transactions

    "Hi , A 14.1.2 : is it only about online transaction ? if not what are the other types of transaction? Could you please suggest an answer?"
  • Managing records

    Related to the section Managing records kept on the basis of this document, currently in our organization; all emails, requirement documents, design documents etc related to a particular project are stored under the particular folder and only the members of the project have access to it. Is this this good enough to specify?
  • ISO 27001 Controls Effectivenes Measurement

    Hello, I need a support in regards to the measurement of effectiveness of controls: 1- shall we measure all the 133 controls? or there are only some specific controls that need to be measured? 2- Can you please provide me with any clue how to procees with this measurement? how to define the metrics for measurement?   Many Thanks in advance!
  • Physical security Policy

    Hi Dejan, I have a doubt. For ISo 27001:2013, 11.1.3 refers to CCTV controls. Does it mean it directly?. If CCTV is not recording is that an Incident? Also if CCTV details and other Access Control events are not backed up is this an Incident? Can you please explain Why?  it compensatory controls and how to resolve it?   Thanks, Vijay
  • Access controlAlign IT services continuity with ISO 22301

    We have received this question: "Access control - user vs technical? How do I distinguish the difference in ISO27002? This is regarding ISO27002 - section 9 Access control 9.2 vs 9.4" Answer : The rights are given to users (people) to access information (e.g. physical documents), applications, hardware and locations (buildings and rooms). The correct management of this aspect is covered by clause 9.2. Clause 9.4 covers ‘how’ the access rights should be implemented in the technology to make sure the data on the computer systems (including mobile devices and telephony) are accessed according to the rules fixed by clause 9.2.Is ISO 27031 a good option to align IT services continuity (aka DRP) with ISO 22301 (BCMS)?
  • Vocalbulary

    "We have 2 terms for: ENGLISH: Risk evaluation, assesment risk (there is not glossary)