Get a 20% discount on the first year of the Company Training Academy annual plan.
Limited-time offer – ends April 24, 2025
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Confidentially statement
Within the mandatory doc list, it is essential to provide the Confidentiality Statement doc. Within the Confidentiality Statement Doc it asks you to re word the confidentiality statement if just for employees, to say the following: If this Confidentiality Statement is signed by employees, replace this text with "... I will share confidential information only in accordance with the Policy for Handling Classified Information and other documents of [organization name]." But…. The Information Classification Policy is not mandatory. Please can you advise? -
NIST 800-53 vs ISO 27001
I will like to know which is a better framework for financial organisations - nist 800-53 or iso 27001 -
Questions about Stage 1, and Scope
Dear Dejan, We have already passed Stage 1 successfully with the recommendation from the auditor to move to Stage 2. Thank you very much for all your support and information!! Nevertheless, a little situation arose from the Stage and maybe you can give us some suggestions. In our company we develop and maintain Software and Hardware (we have a pull of 80 developers). We defined our scope with the idea to include just process that support our development process: “The information systems that support the following services are part of the ISMS scope: o Design, development. deployment, maintenance, and support of Software for localization devices for Industry, Automotive, Sports, and Personal protection o Design, deployment, and support of Hardware of localization devices for Industry, Automotive, Sports, and Personal protection.” During the Stage 1 the auditor commented us that we should include all the developers within the scope, and thus include/raise the correspondent days and money. Or exclude the Development controls from the SoA and have a Scope like this without auditing the development: “The operation of information systems that support the following activities and services: o Design, development. deployment, maintenance, and support of Software for localization devices for Industry, Automotive, Sports, and Personal protection o Design, deployment, and support of Hardware of localization devices for Industry, Automotive, Sports, and Personal protection.” Does the inclusion of all the developers make sense to you? They work in different projects but basically work in the same way regarding the ISMS. We may have team leaders, developers, and working students but all categories work in the same way. What could we argument against this decision/suggestion? Thank you very much in advance -
ISO/IEC 27001/2 Harmonization
The harmonization of 27001 / 27002 will be planned in 2022. Standards like 27017/18 and 27701 should also be harmonized. Is there also a timeline when this will happen?
-
DMS/Apps - information/content delineation questions
We are trying to understand / get a clear definition of the delineation between DMS and Application information/content, Background Currently we use Dropbox, Fibery Collaborative Docs & Whiteboards, and HubSpot to store company documentation and files. The content of each is not managed in anyway and has grown organically. For our ISO 27001 DMS our intention is to use a new separate folder area within Dropbox to store the ISO Documents are records, and related PowerX documents, and use a Register (spreadsheet) to list all assets and provide a hyperlink to the folder where they are stored. Questions 1. What we are getting confused over is, what information/content can stay in Fibery and Hubspot (and other Collaborative apps like Confluence – which we will be using) and what we need to move into the DMS. Is there any guidance on how to approach this? For example, if we leave ISMS related content in Fibery and point the hyperlink to the content is that OK ... 2. Another question is, most 3rd party apps provide features to create documents. For example, Fibery has a document function to create docs to their standards. However, they do not have the fields to store many of the ISO Document standards, like control info. and classification type. And access can be open to anyone authorised. Would it be fair to say, that any ISMS related documents and records should not be stored in such an App. ? -
ISO 27002 changes
Following the changes to ISO 27002, would a company be able to proceed with an ISO 27001 audit this May based on the previous ISO27002 standard? -
Undocumented Controls
As part of *** ISO 27001 implementation, I thoroughly reviewed the ‘List_of_documents_ISO_27001_Documentation_Toolkit_EN’ file attached that was included within the toolkit and mapped out which Annex A controls were covered by the template documents in the toolkit. I’ve recorded this in the ‘Toolkit Annex A Controls’ file attached for reference. It would have been useful if I didn’t have to manually gather this information myself but that is not the point of this email. My biggest concern is that there appear to be 34 Annex A controls that are not covered by the toolkit, despite the toolkit being advertised as ‘All required ISO 27001 documents’ as shown below. Can you please advise on this matter as soon as you’re able so that I can proceed accordingly? With 34 Annex A controls not being covered, that seems like a lot, and I worry that when our business is audited for ISO 27001, we will fail due to so many missing controls. Any guidance or clarity you could provide on this will help my peace of mind greatly. I’m on a tight deadline to have 27001 and 9001 implemented and certified by the end of June this year, hence me purchasing the toolkits for both to cut down the number of hours required. -
Continuous responsibilities
I noticed in the My Work: Tasks Assigned to Me section, some of the tasks are listed as "Continuous Responsibilities". Such as: Coordinate the ISO 27001 implementation project and Report project status to the project sponsor. My teammates have other tasks that are listed. At what point should we mark them as "Done"? Is it when we acknowledge that we have these ongoing responsibilities, or do we wait until the end of the project to mark them as done? -
Task Link Issue
As the subject document must be reviewed from version control perspective, there is no link between reading the document per 1 above, then completing the Main Step for the document. This is a gap that I would appreciate your feedback on. The Task asked me to review the document. When I reviewed the document on the last page is stated I have tor review annually by x date. When I opened the wizard up I needed to review/ add bits so I have done so and sent for approval today. By doing so, with will then change the next review date + 12 x mths out. I just don’t think completing the Task is sufficient. Documents have to be reviewed generally each year. It’s also a good idea to distribute them again so users can refresh their knowledge. Doing this via the wizard is the way to go I feel. -
Risks registered is not effectives
We are SMB organization with 200 employees and 13 IT staff , the scope of implementation is only for IT department !! We are implementing ISO 27001, the main challenge with is to identify and register the risks on an effectives and realistic manner, We are working with the third party and they delivered 140 risks registered , we have couple of comments on the risks registered as the following 1- registered risks are not realistic and it's near to issue registered not risks 2- most of the risks registered are repeated with different way 3- 140 risks registered is very too much to manage it and maintain it third party is used risks based on asset group !! is it making sense, how we can resolve this issue ?