Get a 20% discount on the first year of the Company Training Academy annual plan.
Limited-time offer – ends April 24, 2025
Use promo code:
CTA20

ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 9001:2015 ISO27001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Context and scope of the ISMS / ISO 27001 v 2013

    Hi everyone , I'm preparing the migration from v 2005 to v 2013 and I'm a bit lost on what should I put in the context and scope document . Shall I leave the old scope and add what is needed in 4.3 ? Also I couldn't realy what is needed in the 4.3 (4.2 and 4.1) . Many Thanks,

  • On-line transactions

    "Hi , A 14.1.2 : is it only about online transaction ? if not what are the other types of transaction? Could you please suggest an answer?"

  • Managing records

    Related to the section Managing records kept on the basis of this document, currently in our organization; all emails, requirement documents, design documents etc related to a particular project are stored under the particular folder and only the members of the project have access to it. Is this this good enough to specify?

  • ISO 27001 Controls Effectivenes Measurement

    Hello, I need a support in regards to the measurement of effectiveness of controls: 1- shall we measure all the 133 controls? or there are only some specific controls that need to be measured? 2- Can you please provide me with any clue how to procees with this measurement? how to define the metrics for measurement?   Many Thanks in advance!

  • Physical security Policy

    Hi Dejan, I have a doubt. For ISo 27001:2013, 11.1.3 refers to CCTV controls. Does it mean it directly?. If CCTV is not recording is that an Incident? Also if CCTV details and other Access Control events are not backed up is this an Incident? Can you please explain Why?  it compensatory controls and how to resolve it?   Thanks, Vijay

  • Access controlAlign IT services continuity with ISO 22301

    We have received this question: "Access control - user vs technical? How do I distinguish the difference in ISO27002? This is regarding ISO27002 - section 9 Access control 9.2 vs 9.4" Answer : The rights are given to users (people) to access information (e.g. physical documents), applications, hardware and locations (buildings and rooms). The correct management of this aspect is covered by clause 9.2. Clause 9.4 covers ‘how’ the access rights should be implemented in the technology to make sure the data on the computer systems (including mobile devices and telephony) are accessed according to the rules fixed by clause 9.2.Is ISO 27031 a good option to align IT services continuity (aka DRP) with ISO 22301 (BCMS)?

  • Vocalbulary

    "We have 2 terms for: ENGLISH: Risk evaluation, assesment risk (there is not glossary)

  • Asset owner and risk owner - how exactly are the two differentiated?

    I've received this question:
    "Regarding the “asset owner” and “risk owner” when it comes to people. How exactly are the two differentiated? For example – a Network Administrator. Would the asset owner be “self” and risk owner be “department manager”?
    Answer: I assume you are asking a question related to people as assets in terms of ISO 27001. For Network Administrator, the asset owner would be his direct boss - e.g. the Head of IT department; risk owners should be people who can resolve particular risks - e.g.:
    risk of performing wrong activities because of non-existing rules - risk owner could be Head of IT department risk of performing wrong activities because of lack of training - risk owner could be Head of HR department
    This article can also help you: Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/

  • Involving the management in the BCP process

    "I had the opportunity to work with the implementation of this standard two years ago. In addition, had the opportunity of offer few training regarding BCP and share experience with few industries here.

  • ISO27001 Risk Register

    We have received this Question : "I’m preparing the risk register.Let take asset as "firewall" Threat as Hackers and there would be lot of vulnerabilities associated with this threat (Improper access rights, Misconfiguration, lack of rule base audit...etc) But i have seen risk registers with one threat and they write only one vulnerability. Please provide your inputs regarding this query." Answer: Risks are better expressed in terms of scenarios « this happens to that element under these circumstances and causes this level of damage ».    Each asset can have several threats that in their turn have several vulnerabilities. So we recommand, for a comprehensive risk registry to have one line per vulnerability and one group of vulnerabilities per threat. If a register only shows one threat or vulnerability for each asset, it’s probably because the risk manager has, after analysis, only kept ‘the worst case’. An auditor should accept all what you included in your risk registry, but you will have to explain what you did to come to this registry and how you di dit. It’ s ‘your’ security that counts, not the way how the auditor thinks it is. Note : The ‘Asset-Threat-Vulnerability’ method is only one possible approach for risk analysis.
Page 520 of 544 pages