ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit AS9100 Product: EU GDPR Documentation Toolkit
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 Certificate Renewal

    Hope you are doing great today!! A quick question please. 2017 my organization's ISO 27K certificate got expired. The current management is interested to renew it now. So just wanted to know if it is just a renewal or do I need to go for a full implementation cycle. Also, the certificate that got expired in 2017 is ISO 27001:2005. So, in that case I think it is better to go for a fresh implementation. I would like to get some advise from you on this. Thank You!!

  • Questions around templates - policies vs procedures

    We have a question around the policies vs procedures. Example: In the template ”Security Procedures for IT-department” under Change Management procedures, you have a comment saying: ”Delete if the change management policy constitutes a separate document”. Shouldn’t the Change management policy and the Change management procedure be separate documents/have separate purposes (the why and the how).
    1. From your templates it seems like policies and procedures could be the same thing, since we don't need a change management policy if we include this as a procedure in the document Security Procedures for IT department?
    2. Is it okay to only have procedures or policies for certain controls?

  • Training and ISO 27001 implementation

    We have read through an article on your website that speaks about the training cycle.. We are confused about the first point in the article: https://prnt.sc/RuSlI-gE3BiA. Is it mandatory to train other employees and do this or is this optional?

  • Questions about ISO 27001 controls in Conformio

    1. We have a question about this Time synchronization control - the control in Conformio says to use accurate time clocks and synchronize them automatically. We have a system in place to synchronize clocks and our laptops that the emloyees use are also synchronized via google services. We would like to understand if we should write a policy about this and what can we expect during the audit? Will the auditor ask to see how we do this for all clocks and laptops or will he ask for a random one? Would this also be applicable to tablets? This is the task I am referring to https://prnt.sc/KaIKTGeAtuK3 (control A12.4.4) 2. We have similar questions around the task "Make sure all computers use anti-malware" related to control A 12.2.1 - what would the auditor check in relation to this and do we need a written policy on how we handle this in our organization? 3. Also, the standard uses the word elements to be considered and they give 10 recommendations? Are these recommendations or do we need do everything that is listed?

  • Is Security Awareness training complaint enough for ISO 27001 audit?

    Can you please clarify that the awareness training which is linked to our Advanced plan in Conformio is indeed complaint enough for ISO 27001 audit? I just would like to rephrase my question earlier. We are aware that the awareness training linked to our Advanced Plan are meant to help us with the employees awareness training control however, we are aim to use the scheduling option + quizzes and obviously monitor the activity. With that being said, would that be enough for auditing and to be complaint on that specific section? In addition, we have been following your Admin guidance for awareness training so, we are quite familiar with all options.

  • How to become an BIA expert

    How to become an BIA expert as a beginner, where to start and what to learn

  • Partial certification

    As someone who has been using your tools and services before, I wanted to reach out because our company *** is planning to get ISO 27001 certified. As such, one of our fundamental questions before we get started is 'whether a partial certification' might be possible. In other words, certification against some, but not all of the clauses of ISO 27001. Would you be kind enough to point me to some Advisera services and resources that might help us in our journey?

  • Question about how to identify ISO 27001 ISMS Assets

    I have a question on “what is an assets”.  We are having a bit of trouble deciding what an asset is. Do you have a clear definition we could use. Our current understanding is: We define the scope of the ISMS.  In our case we are a small company so the whole company is in scope. We know the Toolkit Documents and records are within scope, so will for the core document set in the DMS. Now for the rest ... Our understanding of identifying assets: documents, records, hardware, and so on. Is to ask the question: Does this asset have a security element to it to make it in scope? For example, a work instruction procedure to change a users password would be in scope. Whereas, a marketing brochure (that did not cover any product security) would not be regarded as an ISMS asset (accepting such a document – as an asset- may fall the under remit of another ISO Standard).

  • Contestation

    Could you help me and answer this quick question? In your opinion, what is the biggest challenge when carrying out a risk assessment and treatment? In my opinion "A correct definition and adequate analysis of the assets involved." Greetings.
Page 58 of 544 pages