Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Certification for both 9001 and 27001
I actually have one question /clarification based one what I read which confirms that it is possible to get certified for both 9001 and 27001 at the same time. I would like to get clarification on how both projects would be done concurrently and/or together. What are the common activities / interview meetings / deliverables? Can a department interview approach be taken? Is the risk assessment and treatment plan common to both standards or only specific to 27001? How does the certification audit work in this case? What does it take to undertake both projects at the same time ( in terms of additional time and resources)? Do you recommend to work on both 9001 and 27001 certification at the same time?
-
Risk assessment: multiple vulnerabilities for the same threat
On your tutorial vimeo page in the "06 How to implement risk treatment" video, you showed an example (see screenshot attached) in which you listed 2 separate lines for: the same asset, with the same threat, but with 2 different vulnerabilities.
Would it not make more sense to list this under 1 line?
That way there is 1 asset, 1 threat, 2 vulnerabilities and 2 controls.I ask this because for some of our threats, we have 5-6 vulnerabilities and 5-6 controls to mitigate them. should we split this to different lines or is it okay to have multiple vulnerabilities, with multiple controls, and multiple assets - within 1 line?
-
Conformio roles
My name is the only available user for the steps in Conformio. What other users/roles would you recommend that I add? (Or does that actually come later in the process? The guide says I should not skip any steps, but at the same time I feel I need some new roles and users in the system)
-
Help with certification
Hi, we wanted to discuss how to best place our shared server IT Department to support the business units who currently hold or want to obtain ISO 27001:2022 certification.
-
Register of Requirements and scope
We like to have the development and QA departments of *** certified. But we like to include the hosting of our cloud service (which is done by our holding company) in all the documents already now. We have been advised to do so because we like to keep the scope small for the initial certification but extend it later. I'm now working at the Register of Requirements. How can I make transparent which requirements are for Dev/QA of *** and which are for the holding (in other words, what is in the certification scope and what's for later)?
-
Controls in the SoA that so not show up in the Risk Assessment
We have controls in the SoA that we want to implement, that are not specifically part of the risk assessment table i.e., not used to mitigate a specified threat. However, it still makes sense to implement these controls. Is that ok? Can we have controls in the SoA that are not specifically part of the risk management?
-
Handling termination and change of employment
What sections or where would the handling termination and change of employment with ISO 27001 be located? Not sure how where to find that.
-
Risk assessment Guidance
1 - is there a tool to help with risk assessment coverage from ISO 27k to 9k/20k?
Need to update Risk assessment and wanted to know if there is set Guidance and or tool to assist
2 - is there set policy or regulations for doing a risk assessment to include these additional ISO's?
-
Validity and document management
I have one minor clarification.
In all procedure templates have a validity and document management section as below:
Validity and document management
This document is valid as of [date].
---------------------------------------------------------------------------------
If we are creating this document today, which date do we need to mention here as valid as of [date].
Is it like we need to keep a date after 1 year or so when we plan to review the document again?
For example, today is 12 AUG 2023, do we need to mention as “This document is valid as of 12 AUG 2024”.
Please clarify.
If we keep a date after one year, then we should ensure we review/revise document before that and change this date to date after one year again. Correct?