ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001 Internal Auditor Course Product: EU GDPR Documentation Toolkit
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Risk Assessment - Must Risk Assessments include business processes and activities?

    Hi As the subject says, may I carry our Risk Assessments on a per business system or IT asset group or must I also include business processes and activities? Thanks Lee

  • ISO 27001 certifications

    We are at the very beginning of thinking about 27001 certification. We are learning about the standard. If we go further, we will have to surround ourselves with people who are ISO 27001 certified. So, my questions: 1. Is it worth it for me to obtain the ISO 27001 Foundations certification? I would like to get it in April 2022. 2. Are “Lead Implementer” and “Lead Auditor” certifications still adequate?

  • Question regarding ISO Process

    Is the best step forward to now trying to map the risks against the SOA and hand out responsibilities for controls? Or should we instead focus on the risk treatment for our "red" risks?

  • Question about ISO22301 template

    1 - I am looking for an example of a process dependency matrix. 2 - I am also buys with a very big clients BCP. They have quite a few emergency and evacuation and other plans (SHE, Fire) being a power station. How does one integrate these into the BCP and how do I link this to the Incident management process?

  • Software Password Storage

    Hi Guys Regarding Software Assets, we have identified a risk that if the passwords/keys for the software are misplaced we no longer be able to use that asset. The control we have implemented is to store all such passwords/keys in a password safe. My question is which document should this control be recorded in? The “Password Policy” document seems to be focused solely on user passwords, not software/keys.

  • Clause 4.3: ISMS scope

    Good morning. I got a question about clause 4.3: ISMS scope. I described as a scope that all data needs to secured. I find it logic because its the goal of the ISO27001. My question is which angle to look at while making the scope precise.

  • Confidentially statement

    Within the mandatory doc list, it is essential to provide the Confidentiality Statement doc. Within the Confidentiality Statement Doc it asks you to re word the confidentiality statement if just for employees, to say the following: If this Confidentiality Statement is signed by employees, replace this text with "... I will share confidential information only in accordance with the Policy for Handling Classified Information and other documents of [organization name]." But…. The Information Classification Policy is not mandatory. Please can you advise?

  • NIST 800-53 vs ISO 27001

    I will like to know which is a better framework for financial organisations - nist 800-53 or iso 27001

  • Questions about Stage 1, and Scope

    Dear Dejan, We have already passed Stage 1 successfully with the recommendation from the auditor to move to Stage 2. Thank you very much for all your support and information!! Nevertheless, a little situation arose from the Stage and maybe you can give us some suggestions. In our company we develop and maintain Software and Hardware (we have a pull of 80 developers).  We defined our scope with the idea to include just process that support our development process: “The information systems that support the following services are part of the ISMS scope: o    Design, development. deployment, maintenance, and support of Software for localization devices for Industry, Automotive, Sports, and Personal protection o    Design, deployment, and support of Hardware of localization devices for Industry, Automotive, Sports, and Personal protection.” During the Stage 1 the auditor commented us that we should include all the developers within the scope, and thus include/raise the correspondent days and money. Or exclude the Development controls from the SoA and have a Scope like this without auditing the development: “The operation of information systems that support the following activities and services: o    Design, development. deployment, maintenance, and support of Software for localization devices for Industry, Automotive, Sports, and Personal protection o    Design, deployment, and support of Hardware of localization devices for Industry, Automotive, Sports, and Personal protection.” Does the inclusion of all the developers make sense to you? They work in different projects but basically work in the same way regarding the ISMS. We may have team leaders, developers, and working students but all categories work in the same way. What could we argument against this decision/suggestion? Thank you very much in advance

  • ISO/IEC 27001/2 Harmonization

    The harmonization of 27001 / 27002 will be planned in 2022. Standards like 27017/18 and 27701 should also be harmonized. Is there also a timeline when this will happen?
Page 60 of 544 pages