ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 ISO 9001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 14001 Product: ISO 27001 Internal Auditor Course
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Can a company be certified by someone who works for them?

    I noticed you have individual certification courses for ISO27001. I was wondering if a company can be certified by someone who works for them.

    For example, I am a contractor for Enhance Patient Finance. if I got ISO27001 individually certified as an auditor could I then certify Enhance Patient Finance as ISO27001 certified even though I am one of their developers/contractors?

  • A.15.2.2 Managing changes to supplier services

    I have read the implementation guidance in ISO 27002 but I am still not sure of what type of controls we should implement to be compliant with the control A.15.2.2 (ISO27001:2013). I understand that this is regarding changes in supplier agreements and/or Terms and conditions, changes in how our company uses the supplier services etc. Could anyone share how you have implemented this control? We have a non conformance from our recent audit regarding this hence my question.

  • Missing ISO27001 References in List of Documents

    Hi Advisera Support,

    just working through your Dokument List PDF File, which I personally really like as an overview of the referrences to the ISO 27001:2022

    BUT in this context, I  am missing some essential referrences, which I would have expected there.

    Are theses intentionally missing there or don't I have the latest Version of he Dokument List PDF

    IMHO, following Referrences to the ISO 27001:2022 are missing: 4.1, 4.4, 5.1, 6.1.1, A.5.1, A.5.2, A.5.3, A.5.4, A.5.6, A.5.8, A.5.34, A.5.36, A.7.1, A.7.2, A.7.3, A.7.5, A.7.8, A.7.11, A.7.12, A.7.13

    Please provide me in which of the Advisera template Doks the relevant Chapters of the ISO are mentioned.

  • Screening and vetting policy

    I am using the Documentation kit to develop our 27001 documents. I can not however locate a Screening and Vetting Policy template - any one able to point me at where it is ?

  • Asset and Risk Owners - can it be a role and also a name of an employee

    In the asset and risk registers, can the asset owner and risk owner be both a role (like IT Manager) and also the name of a specific employee? Or does it have to be one of those and cannot be the other?

  • A.15.2.2 Managing changes to supplier services

    I have read the implementation guidance in ISO 2002 but I am still not sure of what type of controls we should implement to be compliant with the control A.15.2.2 (ISO27001:2013). I understand that this is regarding changes in supplier agreements and/or Terms and conditions, changes in how our company uses the supplier services etc. Could anyone share how you have implemented this control? We have a non conformance from our recent audit regarding this hence my question. 

    Thank you in advance!

     

  • Risk Treatment Advice

    Hello,

    We are a small IT co. currently at Risk Treatment stage. IT manager has now become engaged in more detail and suggesting that we accept all suggested controls automatically generated for each risk. Understandably, his thinking is that it is safer to be comprehensive and many controls will be selected in other risks anyway. I think that there is a danger here that explaining any given control applied to a risk might look like 'box ticking' if the control is not really applicable/relevant to the particular risk.
    Example; one risk/threat pair  'Rules for mobile devices not defined/theft, vandalism, or sabotage' offers 32 controls.If we have to explain/justify each of these controls in SoA that seems a lot of work and some justifications may be thin? This is just 1 of 114 risks he has selected for application of controls, so we may be creating a huge mountain to climb?

    Any advice/guidance on this appreciated. 

  • Scope

    In the case of a group of three companies (A, B, C), company A is to be certified. All three companies have their own, independent customers and suppliers. The servers and network components of all three companies are located in the data center of company A. How must the SCOPE of company A be described if the servers and network components of companies B and C are NOT to be part of the certification?

  • Internal audit checklist and report combined

    What will be doing is using the checklist to carry out the iso27001 Internal audit. As you know the checklist has a section that says evidence I will write where I got the evidence who I interviewed medium etc.

    What I am however doing is after each section of the checklist for eg context of the organisation 

    I have combined the report there for example after each major section after answering collecting the evidence I have done this.

    I have basically combined the audit checklist and the report. I'll send a screenshot. Please let me know what if this fulfill requirements of audit and audit report. Programme I have already please see screenshot.

    Many thanks my guess combining them is fine just double checking. 

  • ISO 27001 Clause 4 - Scope

    In respect of scope location, would you include remote working eg coffee shop/airport? I would like to include homeworking, but I feel ad-hoc remote working may be a step too far in the scope. What would be best practice here please?
Page 7 of 544 pages