Take the ISO 27001 course exam and get the
EU GDPR course exam for free

ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Asset inventory

    When writing and preparing an asset inventory, should we write the name of risk owner/asset owner or the role?
  • SOA for a global company

    We are in de process of certifying a global company. there are 2 countries within the scope. one of the countries within the scope does not develop or maintain systems. 1. Can we add a column to the SOA justifying that one country does not develop? Or will that country have an own SOA? 2. Show we also add this to the scope statement? because not all controls apply to one country Thank you for all the responses.
  • Do we need separate Cloud Security Policy?

    If our business is Saas and it's all in CLoud for example. Currently, we need to have Information Security Policy as the required document. But do we need a separate Cloud Security Policy ?
  • Revision to 27002 question

    I read with great interest your Blog on the Revision Changes to 27002. Is it perhaps possible to share with me as to whether EACH Control will refer to the required Elements as well as the 5 Control Attributes in relation to determining appropriate Process guidelines?
  • A.5.1.1 Policies for Information Security

    We have a customer requirement that we would like to include in the Information Security Policy. I will map these onto area ‘Setting top-level information security objectives and intentions’, but would also expect control A.5.1.1 Policies for Information Security to be triggered. From the mapping document this does not seem to be the case. Actually, A.5.* controls are absent from the mapping altogether, as is the case for A.7 Human resources controls. Should A.5.* not be mapped as a result of the area I mentioned? Or any other area?
  • Register of legal, contractual and other requirements

    1 - For Register of legal, contractual and other requirements Step: what exactly should we do in this step?

    2 - For ISMS Scope: we’re not sure what to include and what to exclude! do we have to include all our 14 subsidiaries? Do we need to exclude something or some departments?

    3 - For Asset inventory: do we need to identify all assets we have? Or assets we provide? Or assets we’re using/purchased?

    4 - For IT Security policy: is it only 1 global policy? Or we need to add related policies like: backup policy, cloud policy, data destruction policy ...).

  • Is antivirus software requirement for companies seeking ISO 27001 certification?

    In working with my current company through their ISO27001 audit, I wanted to ask if antivirus software was a requirement for companies seeking ISO27001 certified? We are currently operating almost entirely out of the cloud on mac devices, so we wanted to ask if we had to get one before the audit.
  • Requirements in Document Wizard

    1. Why can I select only one person to approve my documents. We have more people so I am not sure how to handle this in our organization? 2. How are the risks and requirements listed in each step addressed in each policy. Do I need to do something on my side or reference them in specific paragraphs? How do I know which paragraph in the document covers which risk or which requirement so that when I am asked how we are treating those risks or requirements, I can show them?
  • Does risk treatment table need to be separate from risk assessment table?

    Does the risk treatment table need to be separate from the risk assessment table?  It seems to me that columns on treatments and treated risk values can be added to the unacceptable risks in the risk assessment table and this can avoid duplication.  What do you think?
  • Content and scope of External Threat Monitoring

    at present, the most immediate question I have is this – what is the content and scope of External Threat Monitoring? Would it be adequate to comply with US’ FISMA Act 2002 (it is a US Act but is adopted worldwide as a best practice), and, as part of FIMA compliance, should we adopt NIST’s standards, namely, FIPS 199, FIPS 200, and the NIST 800? External threat monitoring [job title] is responsible for monitoring suppliers, manufacturers, and security reference groups in order to identify external threats that can impact applications and systems, and [job title] must select actions to be taken in case new threats are identified.
Page 8 of 510 pages