Get a 20% discount on the first year of the Company Training Academy annual plan.
Limited-time offer – ends April 24, 2025
Use promo code:
CTA20

ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 9001:2015 ISO27001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Annex A Controls in Conformio

    1. Seems like you are informing me through Conformio that I should prepare Policies with Annex A controls to incorporate into them (as seems in Project Plan). In example Title : Incident Response Policy, we will mention the annex A controls in it. Shouldn't we just have a folder A.16 Incident Security Incident Management and files A.16.1 Responsibilities, A.16.1.2 Reporting Information Security Events, A.16.1.3 Reporting Information Security Weaknesses, A .16.1.4 Assessment of and Decision on Information Security Events, etc.? 2. Is there a Tool JUST on Risk Assessment?

  • Using ISO 27001 for implementing ISO 9001

    1 - Do you have a presentation that shares some insight on the opposite route - Using ISO 27001 for implementing ISO 9001? 2 - And would there be any value in going down that route, given our customers do not normally require ISO 9001?

  • Documents - Classification plan & storage for process documents like policies

    I'm trying to improve the document management for an IT department of an international food service company as part of my job. I'm a senior consultant on project management now. I've also been working as an IT architect and IT production consultant for years in the banking software development business. I've seen and done many useful things in the past but I've reached the limit of my knowledge in documentation management. I've never had to work on "policy documentation level" before as there always had been people in charge of that. I only had to use already written documents that were extracted from the documentation store for me by documentation or quality experts. I'm looking for small hints from an expert with a good information security view. I hope you can help me so I can move on since I'm a little stuck for the moment. Here is the context (part 1) : I've started writing an App Service management policy and reviewing the project management process a few months ago to stop the long and bad habit of my client's IT teams neither to write rules done nor update documents. At a moment I had to stop because I just had too much information and requirements to take into account. There are so many regulations, practices, and management systems to officially respect at the IT apps level for the company. My policy had started to look too much like a "cooking bible". I ended up wondering how to have people validate and keep live big documents. 1 - Here is the practice I've found (part 1) : After reading one of your article (https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/) I found that I just had to cut thinks in smaller pieces. Your article is also a nice argument since the architect manager had told me he prefers bible documents, and my manager doesn't like the idea at all. That article really is a great help for me. Thanks for writing it. You're the only expert to provide such information on policies organization. After reading an article from another expert  I've also decided to cut the documents per Management System and to respect an integration logic. Here are the systems to integrate at the document level I've already listed : QMS, SMS, ISMS, PMS, UMS, CMS, OHSMS, FSMS, EMS. I hope this is the good logic since your article is not covering the integration aspect of policy management. What's your opinion ? Here is the context (part 2) : I've also started wondering where to store the new documents so that the good people have the right access to read and update the right documents. With my manager we are working on "IT documents storage" improvement so that the documents can be made available to all the IT teams once written. For the moment there's also only procedures and operating modes, not policy in the storage. Documents are stored on a NAS that is not respecting the new IT tiered organization logic and that has been mixing BUILD & RUN documents for a very long time. The access also has to be changed to enable international IT teams to use documents originaly developed in France. Working on forms, procedures, specifications or projet documents management compliant with ISO 9001 standard is something I've already practice but the policy document management is really new for me. 2 - Here is where I'm stuck : For the moment I've found that documents storage should be organized with a classification plan that should reflect the processes logic. It sounds quite reasonable even if it is hard to visualize a sharepoint site design per processes. I've also found that policies are produced by pilot processes. So OK but policies are also used by operational managers as entry points when designing their own processes. From that on I'm stuck. How do classification plans manage the documents that are shared between processes owners ? I've not been able to find example of IT documentation storage yet to help me find the answer to that question or to find out if the "process logic" was the correct goal for IT processes document classification. Is there something about classification plans of processes documents in security standards ? Can you give me hints or advices so I can start writting a classification plan that can be used by sharepoint experts to build a nice & secured documentation site to host the old documents and the new policies ? Thanks.

  • Security objectives in Conformio

    If it’s not possible to do this (changing the security objectives) then we’d probably disapply all the Conformio ones and created our own document. Would that cause problems elsewhere in the system?

  • ISO 27001 Internal Auditor

    I’m currently half-way through the ISO 27001 Internal Auditor online course, at module 6. The module covers Annex section A5 Information Security Policies and section A18 Compliance, these are not presented in the ISO 27001 Documentation Toolkit which I’m currently using. Could you clarify the discrepancy? The Toolkit was purchased by our organization back in 2019, is this still current?

  • DEVOPS position according to ISO27001

    Hello 27001 Academy, According to ISO 27001, is there any interpretation about the DEVOPS current position? I mean... the requirement is clear about not having development team accessing production environments, but, what about Devops, are they considered as developers or just like operators in charge of promoting sw to production? Thank you for your opinion.

  • Audit management

    As you are aware I purchased an ISO 27001 Toolkit for my internal Use. I have also confirmed pricing on White Label 27001 Toolkits. Based upon what you presented tonight, I would really appreciate your guidance as to which is going to be the Best tool selection either Conformio or ISO 27001 to Manage Audits of my Clients Look forward to your valued response

  • Doubts about lead auditors in 27001

    I have been on several ISO 22301 and 27001 webinars and I have doubts that if you could not answer me 1) In which cases, an auditor can decide whether to waive an audit in a company. 2) In case of detecting illegal software in an audit which is the procedure for which an auditor has to go, who is required to communicate how to proceed.

  • ISO 27001 questions related to Conformio

    Question 1: "We are a litle bit lost witht the Initial training plan as we are not sure how to structure it and what are good practice. Can you provide good practice for training when defining the Initial Training Plan? We are not sure if we need to define different suggested training for different skills. Should it be on different skills or different rules depending on the role in the company? What are good training or skills for an IT Manager or Compliance officer for example? We would also appreciate a catalog of links to training on your website that can be useful in completing the training plan?" Question 2: "We were going over the "Procedure for identification of requirements" and we ran into this part that wasn't clear: https://prnt.sc/26guyux  - what document does the "Information Security Management System Policy" refer to? "

  • ISMS

    One important part of the ISMS is the employees' internal security awareness training. I see that you propose free security awareness training on your website. 1 - Is this sufficient during an ISO 27001 certification external audit to prove that *** took the necessary actions with regards to training internal employees? 2 - Is there any way to prove the employees have effectively followed your training ? Something like a completion certificate? 3 - Would you recommend additional steps?
Page 65 of 544 pages