Get a 20% discount on the first year of the Company Training Academy annual plan.
Limited-time offer – ends April 24, 2025
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 / Conformio questions
1. Can I as the Project Manager of the ISO 27001 also conduct the Internal Audit? Or should this be done by someone who is not as involved in the project implementation? 2. When should the first Management review be conducted? At the end when we have all of the documents, or while we are implementing the policies and procedures? I am asking this because there are some items that have first occurrence set as one month after the start of the project so now I am afraid that I was supposed to do this from the beginning. -
Process vs Procedure
In your toolkit for 27001 I noticed you have templates for “Processes.” Is Process the same as procedures? Please advise. -
Addressing Annex A clauses
To be compliant with ISO27001, how do we address the 10 clauses other than the Annex control documents? Do we need a generic main big document to address the clause by clause? -
Statement of applicability A.9.1.2 (Access to networks and network services)
I'm working on the SOA document. I've previously defined our assets and have prepared the risk assessment. In the SOA document I see the A.9.1.2 (access to networks and network services). So far, I've defined assets like "commercial documents", "databases" and so on. Accessing all these assets must of course be protected. So avoiding using public wifi networks will be specified in the Access Control Policy document. My question is the following. As using public wifi can be considered a valid thread for all IT assets we can access remotely, in the risk assessment list of item, can I just add a global asset called "internal IT resources" that will have the threat "using public wifi" and vulnerability being "public wifi networks are not secured by nature" ? So this global asset would comprise other more specific assets. Or do I have to specify this risk for all specific assets I've defined ? -
Control of Suppliers (Contractors)
It is very common these days fro businesses to outsource software developement and have contractors work as part of a team. I am hoping for advice to control these developers... We have several developers that are contractors but they are working as part of several internal teams. They are in a different country and have their own laptops, internet connections (and offices) - my company prefers not to purchase and provide a laptop and the deveopers prefer to use their own - but will not allow any software to be put on their laptops or to control their laptop in anyway. As part of our ISO 27001 controls - they need access to our Microsoft Devops environment and also have access to outlook, teams and Sharepoint. We are looking to put in place a rule (somehow - Azure or endpoint manager ??advice??). that says the laptop/computer must have encrypted drives, Antivirus, be up to date with O/S patches..... as a minimum to connect for standard development. While not completely controlling the laptops/computers - would this be enough for most people to allow ?? Would this pass the general acceptability for most companies who have ISO 27001 ? (We have a requirement already that access to live Private data or information would require a company owned laptop) Any advice is welcome.... -
SaaS provider
In the Risk assessment exercise, as SaaS provider, we are quite focused on protecting PII and other customers data. But I was wondering whether the customer itself could be considered as an asset for the ISO 27001 certification. For example, a threat would be "losing customers" and the vulnerability would be "not being able to guarantee SLA in Incidents management". Would it be something to consider for our ISO 27001 certification ? -
ISO 27001 Certification Data
My queries: (1) How many Months of Data/Records of implementation is needed for the ISO27001 Certification, and (2) What is the usual Timeline for the ISO27001 Certification from preparations, training, Stage1, Stage 2 Certification. -
ISO 27001 Staff Security Awareness
Good Morning. I hope that you are able to answer a question for me please. Control A.7.2.2 states that "All employees of the organisation and, where relevant, contractors shall receive appropriate awareness education training and regular updates in organisational policies and procedures, as relevant for their job function." We are a small Company and currently deliver IT Security Awareness sessions via in person presentations once or twice a year. The attendance is mandatory and captured to provide evidence of provision. Are you able to advise please if this would be sufficient to satisfy an ISO 27001 audit or would the frequency of this training need to be increased and/or delivered through something more formal, such as an online training portal, with a test at the end of each session. Thank you in advance for your advice. -
ISO 27001 measurement and Monitoring
I have some thoughts around the measurement and monitoring part of the ISO 27001 framework. 1. Is it the controls from Annex A that needs to be monitored and measured, or also other parts of the ISO standard? 2. Is the measurement part mandatory for all controls or can we somehow motivate which controls that we choose to measure? 3. How detailed does the measurement need to be? Can the internal audit be enough as a method for measurement or is this too non-specific? -
ISMS Policy vs Information Security Policy
Are the ISMS Policy vs Information Security Policy the same or different polices?