Please select user.
There are no topics yet.
looking for a Gap Analysis worksheet / spreadsheet for ISO 27001:2022. Any ideas?
1. I have the ISO 27001 Internal Audit Toolkit English and am starting the internal audit. The checklist provided for ISO 27001 only has listed up to A.8.34. The Statement of Applicability has up to A.18.2.3. Could I have the checklist up to A.18.2.3, please?
2. Also should the policies and procedure documents be specifically named individuals rather than Job title?
In the risk register/table, some risks relate to high-level or more general assets that I do not have in my asset register.
User error >> most assets
Information interception >> most assets
Malicious action by employees >> almost everything
Unauthorized access to the information system >> all system and docs
Leakage/disclosure of information >> all docs and data
Unauthorized change of records >> all systems with records
What should I write as an asset for these risks in the relevant tables (risks, risk treatment etc).
A company is going for its first year ISO 27001 surveillance audit based on ISO 27001:2013. I have been appointed to perform its internal audit. Kindly advise if we should cater for the 2022 revision during my audit. If yes, in which section and how.
"In "09.07_Inventory_of_Assets_27001_EN.xlsx" there is a column (F) with Impact and there is a note saying "Copy from the Risk Assessment Table.". But, in the Risk Assessment Table, the Impact (which you call "Consequence") is for each Risk and not for the asset. Can you please clarify and explain if I am missing something?"
I'm not quite convinced of the new documentation package for 2022.
In the package for ISO 27001 from 2017, the documents have been named consecutively based on the subdivisions.
For example, under area A10, the document Guidelines for the use of encryption was created based on the controls A10.1.1, A10.1.2 and A18.1.5
According to the new classification of the controls appendix A 2022, the controls 2017 for cryptography go to department 8 Technological Controls appendix A 2022
In the control A8.24 over. However, your documents are not subdivided and subdivided according to the new ISO in the appendix, but are included
Only the departments Security Measures, Training and Awareness, Internal Audit etc.
Where can I find the documents on the other measure terms such as 5. Organizational Controls, 6. People Controls, 7. Physical Controls and 8. Technological Controls?
Hello, I have a concern about the determination of activities, products and services. I would like to take a practical case of an organization whose sole activity is to operate and maintain the IT system of a bank. the Bank retains 3 critical processes that must never be interrupted: customer management, credit management, collection
We want to do the SMCA (Système de Management de la Continuité d'Activité) for the Bank's computer system. What to remember in the products and services of the SSSI (Société de Services en Systèmes d'Informations)?
i) Product: Computer System, Services: Management and maintenance of the Computer System, customer management, credit management, collection
ii) Product: IT system, Services: customer management, credit management, collection
iii) Product: Computer System, Services: Management and maintenance of the Computer System
With regards to the scope, there is a section around location. Our client’s registered location is the CEO’s house address which we wouldn’t want to include as the location. All the users work remotely in different places. How do we deal with such a scenario? Is there a way to exclude location?
Can you provide me with how to write contracts and regulations for contracts, and is it between IT management and other employees in the same company?