Get a 20% discount on the first year of the Company Training Academy annual plan.
Limited-time offer – ends April 24, 2025
Use promo code:
CTA20

ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 9001:2015 ISO27001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Access control

    What is the best way to set up within our organization the team that do the acces control task, in order to have a correct segregation of responsabilities.

  • Question regarding the procedure for document and record control

    Currently, we are faced with a question regarding the procedure for document and record control: within our certified quality management, we already have such a procedure in place. However, this procedure only applies to documents and records of the management systems, as well as for templates, guidelines and other policies that are binding for employees. In contrast, documents and records that are, for instance, created within customer projects are only implicitly part of the document control, i.e., employees should use the templates that are part of the document control (if applicable). In fact, the templates contain a mandatory field for the confidentiality class and we also will have a policy for classification and labelling of information. Nevertheless, probably a lot of information exists that is not or rather cannot be documented by the use of the controlled templates. Now, we are wondering whether or not the current “scope” of documents and records to be controlled is also sufficient in terms of the ISO 27001 requirements, in parti cular, in light of the plan to have a policy for classification and labelling?

  • ISO 22301 and ISO 31000

    1. What are the key differences between ISO 22301 and ISO 31000... since at a glance they look similar?

  • Question on clause 9

    While implementing ISO 27001:2013 for a leading bank, I am stuck at clause 9.

  • Risks of external email service provider

    We have an external email service provider, the risks of information security are low, because they manage everything, we just send them the list of products with prices. I do not see risks that impact the organization, what do you think you?

  • Should all applicable controls from Annex A to be fully implemented by the time

    Should all applicable controls from Annex A to be fully implemented by the time of the certification audit? What proportion of the controls is acceptable in the status Partially implemented or Planned at the time of the certification audit ? How auditors regard such statuses in SOA? Could this lead to a denial of the issue of the ISO 27001 certificate?

  • ISO 27001:2013

    I am acting for a client who is hoping to go for certification next April and the original gap analysis was done on the 2005 version of the standard. We are keen to be following the 2013 standard so are making the appropriate revisions in documents prepared to date. We have a Risk Treatment plan and a Corrective Action process but In order to show the auditor that we have "converted" I have prepared an extra document which i have called a "Remediation Plan" document which sets out the old controls, the gap analysis score, the new control and the description of the new control which then has a plan of action next to the control (stating the work we need to do such as policy/procedure/process/review etc). The plan of action is really a project plan of the individual groupings on the Risk Treatment Plan in more detail. Do you think that is enough to ensure the auditor knows we have converted ourselves over?

  • 2005 revision deadline

    My query is that we have engaged auditing body to conduct stage 1 Audit (June, 2014) in our organization. They have conducted audit on ISO 27001:2005 version and shared finding with us for closure, now we are closing stage 1 Audit findings and plan to engage our Auditor for Stage 2 Audit in mid September, 2014. Our consultant said that the BSI restricted to certify by September, 2014 on ISO 27001:2005 after that companies have to certify on new version that is ISO 27001:2013. The confusion is that If we certify on 2005 revision and unfortunately any major non-compliance raise by Auditor which takes 2 month to close for example, then BSI will certify us on 2005 revision or they said that its November, 2014 and the certification on older version was applicable till September, 2014?

  • Minimum of three months for records for certification audit

    One of our Customer insist there is a minimum of three months for records to be presented in an auditory. I don't find any clause where this period is mentioned.

  • Question about CIA and asset inventory

    I have a question about asset inventory... I stumbled with a doubt, The principles and scales of Confidentiality, Integrity and Availability are applied on the risk or on the assets?? or both?? How is applied the CIA principles in the new standard? to the risks or to the assets?
Page 521 of 544 pages