ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Nivel de implementación en las empresas de un país

    Quisiera hacerle la consulta de cual es el nivel de implementación de la ISO 27001 e ISO 22301 en empresas ***. Para tener una noción de la incursión de la calidad en mi pais.

  • Recurring task in Conformio

    It does seem strange though…..The task is to publish procedures for the description, but it has to be done every 10 x days.

    I would have though once published, then at least annually would be ok…

    Appreciate your feedback.

  • Question about Scope of Work

    We have started engaging with a company to help us to get ISO 27001 certificate and I am the project manager or the contact person and I am confused about the SOW, they want to do for all the *** and I believe that we have to start with the IT department. What do you think?

  • Recovery site

    Due to Covid 19 protocols we have to adhere to social distancing requirements. So part of our team is working at the recovery site full time and it means that we do not have a recovery space in the event that the team working from the office can experience a disaster. The arrangement to work from home is not possible due to the nature of the job.

    So in this case do we still consider our recovery site as a recovery site as now it has been turned into a daily office until we are over with covid.

    1 - Do we need another recovery site?

    2 - If we do, how do I convince management?

  • Stage 2 Audit and ISMS completion status and Assets listing

    1. I have a situation where the Assets listing is very light on i.e., mainly just a listing. The Risk Assessment and Risk Treatment Register also doesn’t go into Inherent Risk, Controls and Residual Risk. It goes straight into a single risk (residual) rating. Am I correct to be a concerned with the absence of an Inherent risk perspective.

    2. My question relates to preparing for a Stage 2 audit, in relation to how complete the ISMS needs to be. I have been told that if there are many gaps and low level of completion of ISMS, then the Stage 2 auditor will look for work plans that indicate awareness of this, AND review the results of past Internal Audits and Non-Compliances i.e., if there are many non-conformances and controls gaps found, then this is “good news” as it supports the status of non-completion. My thought is that the Stage 2 Auditor would expect to see the ISMS mostly completed e.g., at least 90%, accepting that there will always be maintenance and improvement.

  • Filling documents

    Hello Dejan,

    As *** internal contact for ISO 27001, a query arose while filling out your documents.

    I have tried to include information from the VDA ISA 5.0 questionnaire in your documents. In doing so, I often read about requirements that have to be determined.

    Are the following requirements in your document

    "02.1_Anhang_1_Liste_gesetzlicher_amtlicher_vertraglicher_rerichtungen_Premium_DE.docx" (02.1_Appendix_1_List_of_Legal_Regulatory_Contractual_and_Other_Requirements)

    determined and then referenced in the respective documents to be created later and implemented in a suitable manner or where exactly are these requirements written down?

    1 - Requirements for the procurement, commissioning and approval for the use of non-organizational IT services are determined

    2 - Requirements and procedures for the use of confidentiality agreements when passing on sensitive information

    3 - The procedures for user authentication are defined and implemented on the basis of business and security requirements.

    4 - The requirements for development and test environments have been determined

    5 - Measures to meet the requirements with regard to intellectual property rights and the use of software products protected by copyright (procurement and license management) are defined and implemented.

    6 - Requirements from business relationships (e.g. reporting obligations to the client) are determined and implemented.

    7 - Requirements for key sovereignty have been determined and met.

    8 - Security-relevant requirements for information security with regard to the handling of event logs, such as B. Requirements from contracts are determined and implemented.

    9 - Extended requirements for the control and administration of networks have been identified and implemented

  • 3.6. Documents of external origin

    1. In  the section 3.6 Documents of external origin- in Procedure for document and record control. There is a line saying- “Each external document that is necessary for the planning and operation of the QMS must be recorded in the incoming mail register “ 

    This is basically all emails, from purchase, sales, quality etc etc. basically everyone email that needs to be registered because it can be necessary for the planning and operation of the QMS. This makes it completely inefficient to run the company. 

    What is the absolute minimum to do here?.  We have several different systems that track important emails and documents. We have a program for QMS- to handle all documents- we have a ERP system to track all sales/production/shipments. This email registering system will break us. Why do we need it? Please advise.

    2. In iso 13485. It only states: “ensure that documents of external origin, determined by the organization to be necessary for the planning and operation of the quality management system, are identified and their distribution controlled” 

    SO why does the tookit refer to that we have to have an advanced document email document system.

  • ISMS - In scope or out of scope

    Hope all is well. In my ISMS Scope doc, I specifically included my company’s two processes and services:  

    Managed Application Services (MAS) that help customers manage and host specific applications
    Software as a service (SaaS) that provide cloud-based software solution for customers
    The CS, TD and DTS are the three technology divisions providing the MAS and SaaS services therefore they are considered as the parties to implement and maintain ISMS.

    Our Sales and Marketing Divisions are considered as the users, but they are, implicitly, responsible for following the ISMS policies and procedures, as users.

    Can we exclude Sales and Marketing from the ISMS scope? Please advise.

  • Generating reports as security manager

    As a security manager, how can she/he generates a report to see the number and progress of incidents in different time periods?

    Or how she/he can report who has handled which incident?

    Or what is the most vulnerable service based on the number of the incidents?

  • Implementation questions

    Hello Dejan,

    I think I got a decent understanding on how to work on how the standard works from the videos, so I went ahead and started the implementation with the help of the documentation toolkit.

    I have a few questions you may be able to help me with:

    We are a small startup and have very little internal bureaucracy, let alone a document template pre-designed for that purpose, so in that sense we can be very flexible as to how we want the ISO 27001 documents to look like. I thought I'd keep everything in electronic format and rely on the word processor's features for things such as authorship, version control, signature and approval of documents, etc. That means that many of the elements present in the templates from the toolkit (the change history table, table of contents, page numbers, etc.) are redundant since they are already available as document metadata outside of the page. I understand these fields would be useful if we were to ever keep a printed copy of the document, but I don't think that is going to be the case. So my question is, should we nevertheless adhere to the format provided in the templates as a best practice or is any format adequate as long as it is consistent with the specifications from the "Procedure for Document and Record Control" document?
    Similarly, the use of job titles seems excessive for a company our size, where a single employee is usually the only one responsible for writing the document, approving it and monitoring compliance. We do not have upper management levels nor board of directors. In that sense, to what extent should we rely on the use of role names such as Information Security Manager, as opposed to a more generic IT Manager? Should these job descriptions be reflected somewhere else, such as in the employment contract?
    While working on some of the documents I noticed that the assessment of things such as requirements and stakeholders can be rather subjective. Is there any possibility of a certification body raising concerns owing to a disagreement on how this assessment was performed? In other words, how can we judge whether these documents contain enough and accurate information for the certification to be successful?
    The documentation toolkit is sold with the premise of it containing all the information we need to become certified, but it refers to the standard itself at various explanatory notes throughout. E.g.: Requirements relevant for ISMS implementation are those established by the standard itself (all statements that contain the word “shall” are requirements). Would you advise purchasing the standard as complementary information to the toolkit?

    Thank you in advance.

Page 6 of 461 pages