ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Secure Development Life Cycle

    Another question. I think we know the answer, but just double check.
    Q2 – We produce hardware and software that sale to our customers. The software is based on licences.
    2.1 - Do the ISO controls apply in any way to these products? I think not. That once they are acquired by the customer the responsibility in terms of ISO27001 falls under them. Am I right?

    2.2. - Does the ISO indicate controls for SDLC (Secure Development Life Cycle?)? And for hardware?

    2.3 - If we provide some sort of support service (maintenance, improvement, patching, etc), How does this affect us in term of the ISO? If we just intervene in the systems and leave without collecting any data, I guess that we have nothing to do for ISO, but if we collect some data (logs, record, etc) and store it in our systems then this data become our responsibility and thus is affected by the ISO. Is this assumption right? What controls would affect this logs/records/info?

  • BC strategy and ISO 9001

    How does BC strategy fits into an ISO 9001 certified company? What is the impact on QMS Supply chain CRISIS, sales, training and communication, etc, if you have or not BC strategy ? How should I convince my CEO on its importance/ (to my knowledge we don't have a documented BC Plan) Thank you for clarification and presenting this topic.

  • Information in third party systems


    First at all, thank you very much for your help. It is helping me to understand how to do things in a better and simpler way.

    Another question: 

    Q1 – HR department has most of systems they use externalized with 3rd parties. These covers our official web site, personnel information, Payroll and other tools. The 3rd parties do the technical management, and our HR use the systems maintaining the information. My guess is that these systems aren’t assets we need to protect, because are out of our control, but the information belong to us.

    How should treat this case in terms of assets, risk assessments and controls?

  • Implementation questions

    I am currently researching on the topic of ISO 27001 as our number of institutional clients is increasing.

    I would be interested in some information regarding the standard so I would be very grateful if you could take some time to help me with the questions:
    1. I looked at the phases of standards from Planning, Implementation, Verification and Further Improvements. I wonder how long on average full implementation and verification takes?
    2. Where are and what are our potential financial costs?
    3. At what stage would the Auditor come and is this something you could do for us? (Also, I'm interested in the fee for that)
    4. Any PDF resource would be great, which could describe the whole process in more detail. So if you have something similar, please send it to me.
    5. Since we are just starting to look at the standard, we do not have too much prior knowledge, so please add anything that you think is important and I failed to ask

  • Business impact analyses questionnaire assistance

    We have started with the listing of our assets and need some assistance as I think that we might be on the wrong path here. We have listed most of our hardware / systems that we use and have started with the business impact analyses questionnaires. My question is: Do we list all hardware or systems that we use as activities within the business impact analyses questionnaires or is this questionnaire purely used to document the actual process covered by the individual assets.

    Please see attached list of assets and we have created a questionnaire for each of these assets. Is this correct?

  • Training sessions

    Just wondering, after giving the awareness workshops, there should be a survey to be filled in by the attendees, would you tell me what questions to be asked and how the results or statistics would help me later on.  In other words, why I am conducting a survey, how should it help me to determine my next steps . also, in case if I am doing a report for management, what should it include for decision making?

  • Question on enterprise risk management framework

    I bought your book Becoming Resilient.  It has been helpful.

    I just started reviewing your blog.

    I am developing a BC framework for a company that has nothing.

    Your book and blog are good resources for this effort.

    I have also been tasked with developing an enterprise risk management framework.

    I have been reading up on COSO’s 8 key components that comprise an ERM framework:

    1. Internal Environment- Management sets a philosophy regarding risk and establishes a risk appetite.  The internal environment sets the basis for how risk and control are viewed and addressed by an entity’s people.  It is critical that upper management express the importance of ERM throughout all levels of an entity. 

    2. Objective Setting- Objectives must exist before management can identify potential events affecting their achievement.  ERM ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.

    3. Event Identification¬- Potential events that might have an impact on the entity must be identified.  Event identification involves identifying potential events from internal or external sources affecting achievement of objectives.  It includes distinguishing between events that represent risks, those that represent opportunities, and those that may be both.

    4. Risk Assessment- Identified risks are analyzed in order to form a basis for determining how they should be managed.  Risks are associated with objectives that may be affected.  Risks are assessed on both an inherent and residual basis, with the assessment considering both risk likelihood and impact.  Risk assessment needs to be done continuously and throughout an entity. 

    5. Risk Response- Personnel identify and evaluate possible responses to risks, which include avoiding, accepting, reducing, and sharing risks.  Management selects a set of actions to align risks with the entity’s risk tolerances and risk appetite. 

    6. Control Activities- Policies and procedures are established and executed to help ensure the risk responses management selects are effectively carried out.

    7. Information and Communication¬¬- Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities.  Information is needed at all levels of an entity for identifying, assessing, and responding to risk. 

    8. Monitoring- Then entirety of ERM is monitored, and modifications made as necessary.  In this way, it can react dynamically, changing as conditions warrant.

    Do you have any additional suggestions or advise as I embark on this journey?

  • ISO 27001-Advice- Clause 6.1.3 d)

    I would like your point of view on the following:

    I am confused about how to interpret this clause

    If I had an SoA with the following columns, will it meet the requirements of this clause:

    or should it be like this to meet the requirement?

  • Annex A.16

    Hello Support,

    I am working onISO 27001 – Annex A.16: Information Security Incident Management in our organization.  

    How should companies define roles and responsibilities when they are dealing with multiple incidents that need to be handled by separate departments? For instance incidents related to SFTP server and SQL server should be forwarded to IT department but our SaaS service issues should be forwarded to software development department.

    Also, I know in the tool kit we purchase there is an incident management procedure which I can edit it based on our organization, but I wonder if we should have multiple different incident response plan for different incidents or not.

  • Question about IT Security Policy

    1. A small query, the "A.8.2_Politica_de_seguridad_de_TI_Premium_ES" mentions as prohibited activity the one that I highlight in red below, however, it is not entirely clear to me what it refers to, please clarify?

    2. In relation to the same document and even the same section, I would also like to understand the reason why the use of cryptographic tools is prohibited, which has been the point before the one I asked you first in this same mail thread.

    Greetings and thanks in advance, I look forward to both feedbacks.

Page 8 of 461 pages