Get a 20% discount on the first year of the Company Training Academy annual plan.
Limited-time offer – ends April 24, 2025
Use promo code:
CTA20

ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 9001:2015 ISO27001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Merging ISMSs

    Company X is ISO 27001 certified and ISMS is in place. If company X acquired another company Y which is also ISO27001 certified with its own ISMS. So where to start the merging of 2 ISMS into 1 and what could be the challenges with this task?

  • Risk Register section

    Good day. In the Conformio Platform, in section Risk Register, their are recommendations as to the number of Assets, Vulnerabilities, Threats to be selected. In this evaluation, is the selection to be general and/or theoretical, or rather based solely where weaknesses may factually exist? Perhaps my enquiry is not clear; please consider, for exemplification: 1) An asset: Desktop computer/laptop (for the purpose of this example, both serve); theoretically, a weak password is a vulnerability, as is the lack of/not updated anti-virus software. However, if there are already policies in place regarding strong password construction and the update of anti-virus software is monitored and secured, then this vulnerability should not be selected, because controls are already in place? Or should they be nonetheless be selected, to document that they were accounted for but are already treated? 2) The asset: Office rooms/facilities. In theory, the main vulnerability for such an asset would be lack of access controls to facilities, rooms or offices. In our company, access controls are in place. Therefore, should such a vulnerability not be selected; or rather, should it be selected but it's likelihood be evaluated as low due to the controls already in place?

  • Query ISO 27001

    Your help with the following queries regarding the "ISMS Implementation Project Plan" document. In the project organization you can add a role called "Project Leader" that has similar functions to those of "project manager". I better pose the question, within the document "01_Plan_de_project" in point 3.4 Organization of the project, two positions are defined that are: "Project Sponsor" and "Project Manager", the question is, can an additional position be added, for Example: Project Leader, where in this new position can we define functions that we believe are convenient?

  • Security Awareness training - Compliance question

    We have started to use Advisera security awareness training (currently subscribed to a Company account up to 50 users) and several of our employees who have been notified about the program, are still not registered or their status in overdue. In the light of the above, will that prevent us from being compliant to ISO 27001 (In that specific area)? Must all employees complete the program or is it enough to show there an ongoing activity?

  • UKAS Accreditation

    Hi I am in the UK, we have potential venders who have ISO27001 Certificates issued through organisations which are UKAS Accredited. We also have potential suppliers who have ISO27001 Certificates issues through organisations which are ASCB Accredited. I understand UKAS are appointed as the UK's "national" accreditation body but does this mean that the ASCB issued certifications are any lesser? Thanks Lee

  • Document Toolkit

    I was hoping you might be able to give me some advice about the confidentiality statement. We cover confidentiality in the employment contract so my question is it is Mandatory in ISO27K that there is a separate Confidentiality agreement signed by staff or is it OK if it’s covered in the employment contract.  Does there have to be a confidentiality agreement or just a signed document that shows agreement to keep information confidential?

  • ISO 27001 Certificate Renewal

    Hope you are doing great today!! A quick question please. 2017 my organization's ISO 27K certificate got expired. The current management is interested to renew it now. So just wanted to know if it is just a renewal or do I need to go for a full implementation cycle. Also, the certificate that got expired in 2017 is ISO 27001:2005. So, in that case I think it is better to go for a fresh implementation. I would like to get some advise from you on this. Thank You!!

  • Questions around templates - policies vs procedures

    We have a question around the policies vs procedures. Example: In the template ”Security Procedures for IT-department” under Change Management procedures, you have a comment saying: ”Delete if the change management policy constitutes a separate document”. Shouldn’t the Change management policy and the Change management procedure be separate documents/have separate purposes (the why and the how).
    1. From your templates it seems like policies and procedures could be the same thing, since we don't need a change management policy if we include this as a procedure in the document Security Procedures for IT department?
    2. Is it okay to only have procedures or policies for certain controls?

  • Training and ISO 27001 implementation

    We have read through an article on your website that speaks about the training cycle.. We are confused about the first point in the article: https://prnt.sc/RuSlI-gE3BiA. Is it mandatory to train other employees and do this or is this optional?

  • Questions about ISO 27001 controls in Conformio

    1. We have a question about this Time synchronization control - the control in Conformio says to use accurate time clocks and synchronize them automatically. We have a system in place to synchronize clocks and our laptops that the emloyees use are also synchronized via google services. We would like to understand if we should write a policy about this and what can we expect during the audit? Will the auditor ask to see how we do this for all clocks and laptops or will he ask for a random one? Would this also be applicable to tablets? This is the task I am referring to https://prnt.sc/KaIKTGeAtuK3 (control A12.4.4) 2. We have similar questions around the task "Make sure all computers use anti-malware" related to control A 12.2.1 - what would the auditor check in relation to this and do we need a written policy on how we handle this in our organization? 3. Also, the standard uses the word elements to be considered and they give 10 recommendations? Are these recommendations or do we need do everything that is listed?
Page 57 of 544 pages