ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit AS9100 Product: EU GDPR Documentation Toolkit
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Internal audit checklist and report combined

    What will be doing is using the checklist to carry out the iso27001 Internal audit. As you know the checklist has a section that says evidence I will write where I got the evidence who I interviewed medium etc.

    What I am however doing is after each section of the checklist for eg context of the organisation 

    I have combined the report there for example after each major section after answering collecting the evidence I have done this.

    I have basically combined the audit checklist and the report. I'll send a screenshot. Please let me know what if this fulfill requirements of audit and audit report. Programme I have already please see screenshot.

    Many thanks my guess combining them is fine just double checking. 

  • ISO 27001 Clause 4 - Scope

    In respect of scope location, would you include remote working eg coffee shop/airport? I would like to include homeworking, but I feel ad-hoc remote working may be a step too far in the scope. What would be best practice here please?

  • Certification for both 9001 and 27001

    I actually have one question /clarification based one what I read which confirms that it is possible to get certified for both 9001 and 27001 at the same time. I would like to get clarification on how both projects would be done concurrently and/or together. What are the common activities / interview meetings / deliverables?  Can a department interview approach be taken? Is the risk assessment and treatment plan common to both standards or only specific to 27001? How does the certification audit work in this case? What does it take to undertake both projects at the same time ( in terms of additional time and resources)? Do you recommend to work on both 9001 and 27001 certification at the same time?

  • Risk assessment: multiple vulnerabilities for the same threat

    On your tutorial vimeo page in the "06 How to implement risk treatment" video, you showed an example (see screenshot attached) in which you listed 2 separate lines for: the same asset, with the same threat, but with 2 different vulnerabilities.

    Would it not make more sense to list this under 1 line?
    That way there is 1 asset, 1 threat, 2 vulnerabilities and 2 controls.

    I ask this because for some of our threats, we have 5-6 vulnerabilities and 5-6 controls to mitigate them. should we split this to different lines or is it okay to have multiple vulnerabilities, with multiple controls, and multiple assets - within 1 line?

  • Conformio roles

    My name is the only available user for the steps in Conformio. What other users/roles would you recommend that I add? (Or does that actually come later in the process? The guide says I should not skip any steps, but at the same time I feel I need some new roles and users in the system)

  • Help with certification

    Hi, we wanted to discuss how to best place our shared server IT Department to support the business units who currently hold or want to obtain ISO 27001:2022 certification.

  • Register of Requirements and scope

    We like to have the development and QA departments of *** certified. But we like to include the hosting of our cloud service (which is done by our holding company) in all the documents already now. We have been advised to do so because we like to keep the scope small for the initial certification but extend it later. I'm now working at the Register of Requirements. How can I make transparent which requirements are for Dev/QA of *** and which are for the holding (in other words, what is in the certification scope and what's for later)?

  • Controls in the SoA that so not show up in the Risk Assessment

    We have controls in the SoA that we want to implement, that are not specifically part of the risk assessment table i.e., not used to mitigate a specified threat. However, it still makes sense to implement these controls. Is that ok? Can we have controls in the SoA that are not specifically part of the risk management?

  • Handling termination and change of employment

    What sections or where would the handling termination and change of employment with ISO 27001 be located? Not sure how where to find that.
Page 8 of 544 pages