Is ISO22301 mandatory for audits like e.g., ISO13485?
Hi - wanted to get your thoughts on the impending version of ISO27001/2 and if you will be covering the changes via your website soon?
My question is: Does the ISO 27001 standard (Information security management systems — Requirements) talks about security of information that pertains to computers only? Or is it talking about information security in general, I mean traditional paper information too?
Is there a control mapping document between ISO 27k and 22301
How to integrate ISO 27001, 22301, and 20000?
How does ISO 27001 complement or conflict with NIST 800?
1. What is the best way to do risk management?
2. How do I raise awareness for information security?
3. How to setup an ISMS which is used with excitement? How do I get colleagues all across the organisation to not only understand the necessity, but also the advantages of an ISMS for their daily work?
Is there a concrete definition for contingent workers per the ISO Standard?
We are coming up for re-certification this year for ISO27001. We were all in an office in *** but since the pandemic we have all been given new contracts and are permanently WFH now. Since the scope only contained services and company owned hardware at the *** Office, this cannot stay as is. I was wondering if I was to change the scope to say "Company owned assets"? If I was to change this will it exclude home routers etc., or will I need a new policy for updating home security devices? We have many layers of security in place, including encryption, MFA, conditional access policies etc. Just looking to make the scope correct for the new world we find ourselves in.
Hi Dejan,
I’m from a multi-academy trust which is made up of XXXX schools. We have over XXXX students and XXXX staff, so for our scope, we’re looking at the IT department, rather than the whole organisation.
However, the more I look at the this, the more confused I’m getting!
Clauses 4.1 and 4.2, are they based on the organisation as a whole, rather than the department in scope? It seems like even clause 4.1 & 2 is a huge task, and identifies things that aren’t covered by the IT department. It seems odd to identify these issues as an organisation, only to not cover them as they aren’t covered by our scope.
Also, in terms of interested parties, would our students count? If so, would it be over the age of consent in GDRP terms of, or all ages?
Also, do you know if any schools or multi-academy trusts in the UK have achieved ISO27001? If not, are there any resources or information you could point me too that are focused on educational establishments that I could gain some guidance from?
Finally, (apologies this may be oddly worded!) but as the IT department, does that just cover the processes/information used by them, or does it also mean the services/equipment the IT department provides for others to use? Such as require 2 factor authentication for staff in other departments to login to a service?
We’re also going to purchase the documentation and support pack with you, but our ordering process can take a little while, so just wanted to get these couple of questions out in advance!
