Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:

ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Annexure SL

    Can you please enlighten me as to whether Annexure SL may be included in ISO 27001:2022, or does it already exist as a Document elsewhere?
  • 27001 question

    Dear Mr.  Dejan Thank you very much for your support and help, and sharing for this start-up project template. I have a potential ISP/Fintech customer with current Core Network Backbone & too many fintech Leased line & Solutions running without good security program in mind. They are running the business with no good CMDB/Assets RISK ITSM/ITIL Strategy and enough people and organization divisions and separation of duties. and the WORST that they are running the business with no good NOC/SOC setup?? My Question is how ISO 27001 can help them improve and establish a security/cybersecurity program with a strategy of 3 actions plans : 1) Immediate action plan (Timeframe 3 months) : Assessment/Gap Analysis CSET & Design & Access + Services review. (assets, facility, devices, links, customers, Design & Security Access & Control, NOC/SOC...policies and FULL system/net audit (Vulnerability & Pentesting for Critical system), Training, Top Management and engineering Cybersec Awareness and Fullpicture Cybersecurty project awareness. 2) Mid-Term action plan (6 months) : prepare and build SOC team/Org people capacity & process and practices for CyberDevOPs operations including Assets Management-ITSM+RISK (config, probem,incident,..Mng), Training Cybersec Awareness,  SEC +, Ethical Hacking, SOC operation & Incident Response & Threat hunting. 3) Long-Term action plan (18 months), prepare the ISO 27001 or PCI-DSS requirement, gap analysis(CSET), policies, procedures..., project management PDC....  plan for implementation....with We want to deliver a high-level cybersecurity 1 page action plan. if we get the approval with will very glad/happy to partnership with you in many-ways,  we will buy the ISO-kit bundle and we will engage with you in ISO270001 implementation project for our Customer (we can discuss .. the .. forward plan...after getting the deal). We are very serious in this deal and the customer is very keek to start business with us as we assess them to close a severe threats/cyber holes in their infrastructure. Please advise with any starting document/plan that can help us getting this tough deal/closed as they need an immediate action with vision to adopt ISO270001 or PCI-DSS.
  • ISO 27001 Integration

    I have just been approached by a Large Organisation, who asked as to whether there is any integration for PCI DSS/ISO 27001 requirements with specific regard to Data/Information Management. This is a really large opportunity, and I shall discuss more detail if I know as to whether this is possible.
  • Clause 8.1

    Thank you for your email, I was wondering regarding Clause 8.1 would you expect to see any evidence like an Operational Control Procedure and what content would you expect to see in it?
  • 27001 question

    Thank you for the rich information provided in the article on the new features of ISO 27001:2022 (https://advisera.com/27001academy/explanation-of-11-new-iso-27001-2022-controls/) Since the new controls introduced are not mandatory, I will like to ask if ISO 27001:2013 LA/LI certificate holders are required to Transit to the new version of the standard. Are companies that are currently certified to ISO 27001:2013 mandated to transit to the new version.
  • Merging ISMSs

    Company X is ISO 27001 certified and ISMS is in place. If company X acquired another company Y which is also ISO27001 certified with its own ISMS. So where to start the merging of 2 ISMS into 1 and what could be the challenges with this task?
  • Risk Register section

    Good day. In the Conformio Platform, in section Risk Register, their are recommendations as to the number of Assets, Vulnerabilities, Threats to be selected. In this evaluation, is the selection to be general and/or theoretical, or rather based solely where weaknesses may factually exist? Perhaps my enquiry is not clear; please consider, for exemplification: 1) An asset: Desktop computer/laptop (for the purpose of this example, both serve); theoretically, a weak password is a vulnerability, as is the lack of/not updated anti-virus software. However, if there are already policies in place regarding strong password construction and the update of anti-virus software is monitored and secured, then this vulnerability should not be selected, because controls are already in place? Or should they be nonetheless be selected, to document that they were accounted for but are already treated? 2) The asset: Office rooms/facilities. In theory, the main vulnerability for such an asset would be lack of access controls to facilities, rooms or offices. In our company, access controls are in place. Therefore, should such a vulnerability not be selected; or rather, should it be selected but it's likelihood be evaluated as low due to the controls already in place?
  • Query ISO 27001

    Your help with the following queries regarding the "ISMS Implementation Project Plan" document. In the project organization you can add a role called "Project Leader" that has similar functions to those of "project manager". I better pose the question, within the document "01_Plan_de_project" in point 3.4 Organization of the project, two positions are defined that are: "Project Sponsor" and "Project Manager", the question is, can an additional position be added, for Example: Project Leader, where in this new position can we define functions that we believe are convenient?
  • Security Awareness training - Compliance question

    We have started to use Advisera security awareness training (currently subscribed to a Company account up to 50 users) and several of our employees who have been notified about the program, are still not registered or their status in overdue. In the light of the above, will that prevent us from being compliant to ISO 27001 (In that specific area)? Must all employees complete the program or is it enough to show there an ongoing activity?
  • UKAS Accreditation

    Hi I am in the UK, we have potential venders who have ISO27001 Certificates issued through organisations which are UKAS Accredited. We also have potential suppliers who have ISO27001 Certificates issues through organisations which are ASCB Accredited. I understand UKAS are appointed as the UK's "national" accreditation body but does this mean that the ASCB issued certifications are any lesser? Thanks Lee
Page 6 of 495 pages