ISO 27001 & 22301 - Expert Advice Community

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

Assign
  • Interested parties, external and internal

    As part of Iso27001 I know we are required to gather context of interest parties identify external and internal context. To satisfy auditors does this have to be in a document format like a policy?

  • Assessing maturity level of ISO/IEC 27001 implementation

    Are there models to assess the maturity level of ISO/IEC 27001 implementation? Kindly recommend some.

  • Defining an ISMS scope

    A client wishes to become ISO 27001 certified. My company is a very small ICT firm working in the same building and on the same network as this client (same ip-scope). How should I define their scope?

  • CSP - CSC - end user in iso 27017

    I would really appreciate your opinion on this iso27017 matter. This is the case.

    Company A is ISO27001 certified for the ".... management of cloud infrastructure (IaaS)"

    Company A does not have its own data center.

    Company A provides IaaS services based on cloud resources and technology of a Big provider (such as MS Azure vmware solution) with which Company A has a contract.

    Company A wants to integrate iso27017 to its current iso27001 certificate (which already includes IaaS services).

    From an iso27017 perspective, is company A to be considered cloud service customer or cloud service provider or both? And why?

    Thanks in advance

  • Performing Risk management according to ISO 27005

    How to perform practically and step by step the Risk management according ISO27005 ?

  • Question for ISMS ISO 27001

    We bought the Docu Kit and again I have a question about the ISMS.

    The ISO 27001 standard requires that an information security policy be formulated and made known (5.2). The standard does not specify which scope (or area) of an organization the information security policy must cover. Is it possible that overall policies are valid for multiple areas (locations, sides) within an organization, whereas some policies are only valid within the specified scope of the ISMS?

    An example:

    Our company has several locations and the information security policy applies to all locations here in XXXX. However, the actual scope of the ISMS is only a subarea of a certain location. Therefore, can the information security policy be valid in its entirety while certain procedural instructions of the ISMS apply only for the ISMS scope? This would mean that there are documents in the ISMS with general validity and also documents that only apply to the ISMS.

  • ISO 27001 questions

    Estimados Señores Advisera

    Agradeceré su apoyo con las siguientes preguntas:

    1.            En una pregunta anterior, sobre si era correcto que el CISO realice las auditorías internas, su respuesta fue que se debe buscar a otra persona porque el CISO no puede auditarse así mismo. Esto me lleva a la siguiente pregunta ¿En las auditorias solo debe participar el CISO, es decir está dirigida solamente a este rol o también participa otro personal de la empresa que debe ser auditado?

    2.            ¿Los procedimientos que elaboró un área de la empresa (por ejemplo área de recursos humanos) también son auditados o solo los que la norma indica como obligatorios?

    3.            ¿Es obligatorio que cada área de la empresa elabore sus documentos o procedimientos de cómo operan?

    4.            El apartado de la norma 7.1 habla de presupuesto financiero ¿Cómo se debe presentar este documento en una auditoría?

    5.            Respecto a los riesgos, se decide revisarlos después de haber aprobado la auditoría (al menos una vez al año), en esta segunda revisión si un riesgo ya fue controlado con un control del “Anexo A” ¿Se debe volver a considerar en la nueva evaluación o solo se consideran los nuevos riesgos que se identifiquen? ¿La nueva lista de riesgos reemplaza a la anterior o solo adiciona los nuevos?

    6.            ¿En una auditoria de seguimiento (o mantenimiento) pueden quitarnos la certificación?

    Dear Sirs Advisera

    I will appreciate your support with the following questions:

    1. In a previous question about whether it was correct for the CISO to perform internal audits, your answer was that someone else should be sought because the CISO cannot audit itself. This leads me to the following question, should only the CISO participate in the audits, that is, is it directed only to this role or does other company personnel participate that must be audited?

    2. Are the procedures developed by an area of the company (for example human resources area) also audited or only those that the standard indicates as mandatory?

    3. Is it mandatory for each area of the company to prepare its documents or procedures for how they operate?

    4. Section 7.1 of the standard talks about financial budgeting. How should this document be presented in an audit?

    5. Regarding the risks, it is decided to review them after having approved the audit (at least once a year), in this second review if a risk has already been controlled with a control in “Annex A”, should it be considered again in the new assessment or are only new risks that are identified considered? Does the new list of risks replace the old one or just add the new ones?

    6. In a follow-up audit (or maintenance) can we remove the certification?

  • Risk assessment

    Where do you assess your assets relating to confidentiality, sensitivity and integrity principle? And how do I incorporate this in the Risk assessment? In other words, should an asset have a high rating in sensitivity, how does it affect the impact?

  • Auditing integrated ISO 27001, ISO 20000 and ISO 9001

    I have a question regarding the ISO auditing process. 

    My company is trying to do an integrated ISO management system with ISO27001, ISO20000 and ISO9001. Can each of standards be audited individually or must we implement all first and then go for auditing/certification?

  • Annex A section 5.1

    I have had one of our ISO reviewers internally – asking why we don’t have Annex A section 5.1 (5.1.1 and 5.1.2) documents as part of the kit we purchased, or if these are covered in other sections?

Page 6 of 448 pages