Get a 20% discount on the first year of the Company Training Academy annual plan.
Limited-time offer – ends April 24, 2025
Use promo code:
CTA20

ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 9001:2015 ISO27001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • New versions of ISO 27002 and 27001

    Dear Team, first of all thanks a lot for your “Overview of new security controls in FDIS ISO 27002” – helps a lot to understand what is being changed. If we are currently in process of implementing ISO 27001, would you recommend to change our SoA according to the new version already? Thank you!

  • ISO 27001 questions - Conformio/Toolkit

    I have some questions about the ISMS scope document from the toolkit. We own the servers in a data center that is owned by a third party, so what does it mean that the provider has control? Our customers purchase our service as SAAS but we on our side have suppliers who provide us the data center. These are the services we offer. The question is - does this mean that the provider who has control is the customer, us as the provider of the service or the third party service we use to rent the data center? How does this affect our risk matrix? We buy/rent our infrastructure so what asset should we include in the risk matrix?  What I understand is that we should mark ourselves as number 2 in this table. Am I correct? In that case, should we include the Datacenter as an asset of our organization or not, since this is something we rent? In that case this asset should not be included, is that correct? Should we also include storage media as an asset, considering the scope of our business? When thinking about assets "Internally developed software" and "servers"- should we consider all different products we are providing and servers we are using as separate assets, or can we write just general "Servers" or "Internally developed software" and that is enough? When thinking about "Operating system" as an asset - does this refer to the operating systems we use in our organization where we are running the server or does it refer to the operating systems our customers are using when downloading and using our service?

  • ISO 27001 Expert question

    The company is not planning to get certified but IS is supposed to be compliant with the European NIS directive. Experts of that directive are all recommanding ISO 27001/22301 standard. So I’m trying to respect ISO standards best practices in all my projects now. I’m a little bit lost with document management for the moment. For the moment I’m just wishing to know : Is  « System Management & processes » the good classification way for documents when wanting to respect ISO 27001 ? If the answer to question number 1 is « yes » then how to deal with documents like policy that are used by multiple SM & processes. I’ve seen in Sharepoint tuto proposed by ISO 9001 experts that they we were using metadata for document indexing. Does that mean that policies should be attached to multiple SM & processes at metadata level ? If answer to question number 2 is « Yes » then is there best practices in ISO 27001 about document organization apart classification. In the IS0 2001 Sharepoint tuto the experts were saying that there were no obligation regarding organization of documents and that they can be stored with or without hierarchy. But regarding access rights I suppose it can change things a lot. Is there something detailed about access rights to documentation in ISO 27001 ?

  • ISO 27001 - exclusion of personal devices in the ISMS scope

    In the ISMS scope document, I initially removed the usage of personal devices for the business (like using our own phones to access emails) from the ISMS scope. But finally, I wonder whether this is a good idea, and if we do not take the risk an external auditor would argue that using personal devices is a high risk for the company. What would you suggest ?

  • Presenting changes on internal and external issues after a merger

    Do you know how to present the changes on internal and external issues after a merger?

  • Scope question

    Our scope will be the whole company (***, about 30 people). This company has an affiliated company (100%) called ***. All employees are employed by *** and some of them also work for ***. The scope should include both companies. Is this automatically included or may I name both companies in the scope statement?

  • ISO 27001 Toolkit - Document 02.1

    I hope you’re well and had a good weekend. Can you please advise if ISO 27001 requires me to list all UK GDPR requirements individually on the document ‘02.1_Appendix_1_List_of_Legal_Regulatory_Contractual_and_Other_Requirements_27001_EN’ provided in the 27001 toolkit? Would it be sufficient to merely list the requirement of ‘Adhere to all UK GDPR requirement as listed under Part 2, Chapter 2 of the UK Data Protection Act 2018’? I’m hoping I don’t need to effectively copy and paste a lot of sections of the UK GDPR but thought it best to check to ensure compliance with ISO 27001.

  • ISO 27001:2022

    Based upon your brief discussion regarding the 2022 Versions of the 27001 Standard, do you perhaps know as to whether Changes to 27002 are envisaged in 2022 as well?

  • Software Development Templates

    I have new questions about the templates I'm trying to find, so I need some advice on software development templates: 1. Preliminary assessment of the technological feasibility of the concept 2. Defined product concept 3. Report on proving the concept 4. Report on the results of laboratory tests 5. Demonstrated technology in the relevant environment 6. Technology Demonstration Report Do you have a list of all software development forms somewhere on your page?

  • Question about ISO 27001 and ISO 22301

    Hope you are keeping well.  I have a question about how we approach ISO 27001 and 22301 in relation to our (potential) customers.  As you may recall, we are a start-up company with no contractual arrangements with our current clients. Currently we have a number of customers using our AI product in Proof of Concept projects. The aim is, once they are happy with the PoC, to move on to a large project(s) where we will formalize the relationship by selling our products and services to the customers. Now to ISO ...  As we have no contracts with customers currently the plan for both ISO 27001 and 22301 is to cover just our company’s Security standards and Business Continuity needs, so that we obtain certification for ourselves.  As and when we sign a Customer we will then modify all relevant ISO process to include the Customer’s security and Service availability requirements, and so on. Is this the correct approach?  Or do we need a customer. And if so, why?
Page 64 of 544 pages