Guest
My doubt is related on controls to be implemented regarding software development, i.e, controls 8.25, 8.26, 8.27, 8.28 and 8.29.
I understand that if there is any type of internal software development the controls must be applied.
However, if a company has installed any software/platform that is open source, it means that its allowed or can be made changes. Even, and for instance, for solutions that IT systems administrators use to manage IT infrastructure.
In this case, any of the mentioned controls must be applied ? meaning that they cannot be excluded.
Does all of the RTP need to be completed before certification audit?
Hi Our parent company has ISO 27001. We have a new venture that is devolving from the parent and will become a separate legal entity. We want the new venture to be ISO 27001 certified, however it operates very differently from the parent company. My question is can a single legal entity have 2 ISO 27001 certifications i.e one for the parent excluding the new venture and a separate one for the new venture (which over time will become a separate legal entity)?
We have a question regarding the team that needs to implement and maintain the ISMS as defined in section 4.4 of "05_Information_Security_Policy_27001_EN".
We also want this team members to be able to approve requests like for example in "09.01_IT_Security_Policy_27001_EN" for installing software, running java, to name just a few.
We don't want only one person to approve this, whether it is the IT manager or the CTO.
We are a 50-user *** company.
It does not make sense to me that the executive team be the one in charge of the above since our case it is a small team of mostly non-technical users.
We thought of creating a 3-person team (maybe call it "IT Team" or another name if you have a better idea) that includes the CTO, IT Manager and the Head of Engineering. This team already meet weekly to discuss these matters, so I thought of officially putting it in our ISMS documentation.
Do you think that is a good idea?
Is it in-line with the standard?
If so, is it best described in "05_Information_Security_Policy_27001_EN"?
Dear Dejan,
I am following you and Advisera for a couple of months and I really like the content you provide.
I am now in the process of preparing my first customer for ISO 27k certification, but the legal side of things with the certification is not quite clear to me.
Would please be so kind, and give me your professional opinion on this? Would also Conformio help me with the process in this case?
Let me give you a brief overview of the situation and you will know what I mean right away:
There is company A (consists of 15 people), based in EU, which develops software, provides support, makes proprietary hardware for the software they make etc.
Then there is company B (consists of 2 people), based outside EU, which owns the copyrights to this software, tells company A what to do, what to develop, and also is written on every contract when they sell this software.
Customer wants this software to be ISO 27k certified. Company B has no other legal connection with Company A, they are not like parent/daughter companies.
My question is, which company is going to be certified? Do they need to be both certified, separately?
Why are you treating 2013 edition when 2022 becomes effective September?
I'm working in the IT department and I have my friend working in the cyber security department, and we are now in the preparation processes to obtain ISO 22301 CERTIFICATE before this objective my friend in cybersecurity prepare all documents as part of ISO 27001 Preparation but it covers only cybersecurity department, I need your advice is that okay or it should cover all IT activities due to he tells me the main reason to disruptive the services in IT is the cybersecurity?
please advise who is right we have prepared a BCM plan, Risk management, BIA, BC community, and response structural DR but it focuses on cybersecurity.
Does the ISO 27001 training offered cover only small and medium businesses? I mean the scope of training because when I started the training of internal audit for the same standard the lecturer said it is suitable only for small/medium businesses… so the training is not suitable for corporations?
we are currently preparing for our control audit.
However, due to personnel changes I am contemplating to change certain aspects of the SOA to reduce unnecessary overhead.
What effect will the removal of controls e.g. A.14 have for the audit and our certification scope?
Can Changes to the SOA only be made prior to certification audits?