ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit AS9100 Product: EU GDPR Documentation Toolkit
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Supplier Security Policy

    Hello Support, I hope you are doing well, I am planning to work on the SUPPLIER SECURITY POLICY, I have some questions: Do you have any SUPPLIER SECURITY POLICY questionnaire template ready on the toolkit or your website? Do you have any SUPPLIER SECURITY MANAGEMENT partner or suggestion that we could consider to use? In the 3.2.           Screening, the policy says “[Job title] decides whether it is necessary to perform background verification checks for individual suppliers and partners, and if yes – which methods must be used.” What method does it mean?

  • Incidente de segurança da informação

    ISO 27001 - incidente de segurança da informação - qual o prazo para que seja feita a notificação e tratativa?

  • Removing approved risks in Conformio

    How its possible to remove some threats and vulnerabilities that we already reviewed and approved?

  • Vendor/third party risk management/assessment

    I wonder if you have any document about Vendor\third party risk management\assessment? Also is it covered in ISO27001?

  • ISO 27001 audits

    1. Can the same person who manages ISMS for the organisation do the  internal audit? Is there a conflict of interest? 2. Does the internal auditor need to be technical in IT. Where system security applications as stated in the policies/ procedures, do the internal auditor need to verify its functionality/ effectiveness or only need to view documented materials. In another word, do the auditor need to test the system for validity? 3. Can an internal audit be carried out in stages over different timeframe or must be done in one process?

  • Asset inventory

    Hi! I'm a customer with you at the moment. I bought the ISO 27001 template package. One quick question: Should the Asset Inventory spreadsheet and the Risk Assessment spreadsheet always reflect each other? I mean should they always have the exact same assets? Currently, in my Asset Inventory, I have a "Dell XPS17" and a "Dell XPS15" but in my Risk Assessment I just wrote "company-owned laptops". Does it make any difference?

  • Data Backup and Restore

    Does the backup and restore process should be encrypted?

    I Mean the tapes itself.

  • Control diversification

    Hi, I'm a customer using your template package for ISO 27001. Quick question for the experts: I've read this thread in the community (https://community.advisera.com/topic/control-objectives-in-the-statement-of-applicability) but I'm still having some difficulties. We're a very small organization with a scope of 3-4 persons. We've never had a security incident. I know that you've added the "Control objective" column to make it practically easier, but I start to wonder if we should completely remove the column. The only control objective I can think of is "We want to continue having 0 (zero) security incidents". And sure, I can put in "We want to have zero security incidents due to (insert e.g., lack of patching, poorly managed access rights etc.) Currently, I've written the same thing in almost every control (formulated as a question though): - Has any incidents occurred due to failed control with access rights? - Has any incidents occurred due to the lack of security measures in the transfer of physical media? I cannot figure out how to diversify it. Can I completely ignore the control objective column and then just go by "We want to keep having zero security incidents. If we register any - how many? And due to what?" and then look to the weakness.

  • 10.1.2 Key management

    I wanted to ask how I can check annex 10.1.2 Key management during the internal audit session what's needed to be satisfied these requirements.

  • Human Resources Policy

    My new organization has a lot of Human Resources policies like diversity and inclusivity policy, Car allowance policy, Dress code policy, etc., while ISO 27001 Human Resources security policies deals only with prior, during and after employment security.

    1 - In designing an ISMS to ISO 27001 standards, are this non security related policies included or excluded?

    2 - Another question. My new organization uses the Plan-Do-Check-Act (PDCA) to write individual security policies like the business continuity management policy etc.
    My understanding is that the PCDA model is for the structure of the ISMS and not for individual policies. Am I wrong?
Page 79 of 544 pages