ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4148
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 ISO 9001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Certification ISO 14001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Impact column in Asset Inventory

    "In "09.07_Inventory_of_Assets_27001_EN.xlsx" there is a column (F) with Impact and there is a note saying "Copy from the Risk Assessment Table.". But, in the Risk Assessment Table, the Impact (which you call "Consequence") is for each Risk and not for the asset. Can you please clarify and explain if I am missing something?"

  • Documentation package content

    I'm not quite convinced of the new documentation package for 2022.
    In the package for ISO 27001 from 2017, the documents have been named consecutively based on the subdivisions.
    For example, under area A10, the document Guidelines for the use of encryption was created based on the controls A10.1.1, A10.1.2 and A18.1.5

    https://i.imgur.com/cUjQiuZ.png

    According to the new classification of the controls appendix A 2022, the controls 2017 for cryptography go to department 8 Technological Controls appendix A 2022

    In the control A8.24 over. However, your documents are not subdivided and subdivided according to the new ISO in the appendix, but are included

    Only the departments Security Measures, Training and Awareness, Internal Audit etc.

    Where can I find the documents on the other measure terms such as 5. Organizational Controls, 6. People Controls, 7. Physical Controls and 8. Technological Controls?

  • Question about SMCA

    Hello, I have a concern about the determination of activities, products and services. I would like to take a practical case of an organization whose sole activity is to operate and maintain the IT system of a bank. the Bank retains 3 critical processes that must never be interrupted: customer management, credit management, collection

    We want to do the SMCA (Système de Management de la Continuité d'Activité) for the Bank's computer system. What to remember in the products and services of the SSSI (Société de Services en Systèmes d'Informations)?
    i) Product: Computer System, Services: Management and maintenance of the Computer System, customer management, credit management, collection
    ii) Product: IT system, Services: customer management, credit management, collection
    iii) Product: Computer System, Services: Management and maintenance of the Computer System

  • Scope (locations and addresses)

    With regards to the scope, there is a section around location. Our client’s registered location is the CEO’s house address which we wouldn’t want to include as the location. All the users work remotely in different places. How do we deal with such a scenario? Is there a way to exclude location?

  • Register of Requirements

    Can you provide me with how to write contracts and regulations for contracts, and is it between IT management and other employees in the same company? 

    Another question,  for example, Microsoft a software company (license and terms of use) the contracts between the IT department 

    Another question,  for example, Microsoft a software company (license and terms of use) the contracts between the employment in compatibility? Please write an answer with details How to structure writing contracts with examples.

  • ISO 27001 and minor non-conformities

    We had a question come up regarding ISO 27001 and minor non-conformities. I’ll enter it below hoping that someone from the training team may be able to answer it for us.

    Question we have;

    We have a certified facility that had a few minor non-conformities during its last surveillance audit.
    The audit provider gave the ISMS team until June 2023 to address them. They had 90 days to supply a fix.
    Did that mean they needed to report back to the auditor with the remediation by June?
    Or do they need to provide evidence that they were addressed by June at their next Audit coming up in March 2024?

    So, does that ISMS team need to proactivity reach out to their auditor with the evidence that the non-conformities have been fixed?

  • Labelling information

    Quick question on the requirement to classify and label information. Are we expected to do this for all historical documentation as well as documentation moving forward?

  • Infosec responsibility for BCP from an IT perspective

    is it logical to have the IT responsivity on BCP led by the Infosec team?

  • Question around contractual and legal requirements

    Will the organisation have to go through each agreement and determine? If so, this may be a time consuming exercise?
Page 8 of 542 pages