Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Annex A.8.3.1 to 8.3.3
When looking at controls in Annex A.8.3.1 to 8.3.3 regarding removable media, I cannot really understand how this is any different to the equipment mentioned in A.11.2.7 for instance. I guess both controls refer to the same objects, right? USB flash drives, CD, DVD, laptops, smartphones etc. So basically - are 8.2.3 and 11.2.7 referring to the same objects? -
Conformio - setting up people and departments
The project sponsor is not supposed to be involved (Project Plan para 3.4.1) – is that critical? We’re a small company where the MD will be very much driving this. If necessary, I could choose our chairman but our MD would be better in practice. -
ISO 27001 Lead Auditor exam - Doubts regarding a question
I took a part in ISO27k Lead Auditor workshop in August 2021. I also approached the exam. Unfortunately, I was not able to pass IS part, as 6 % were missing to achieve 70% for this area. I have a doubt regarding two questions, asked during one or both approaches to the exam in IS area. As we do not receive a report which questions were responded correctly and which not, I am not able to verify it by myself. 1 - There was a question during the exam, which was like: Should risk owner be assigned to each critical risk? I responded Yes, but I was started wondering if the question should be understood just in the context of critical risk or in a wider context, meaning does the question ask really about critical risk in it or maybe the response should be No, because standard requires owners to be assigned to all type of risks found? 2 - Second one is regarding "justification" of adding particular control to SoA. I do not entirely understood how to read "justification" in this question? Could you please explain it to me? I will be grateful. -
Can certified ISO 27001 Lead Auditor train and certify other people?
1. I was told a certified ISO 27001 LA can train and certify other people? 2. If true? is there a special certificate/training to be able to do this? -
Changing risk scale in Conformio
Could you provide more clarification about why a scale from 1-3 was used for the risks instead of 1-5? -
IT Assets Disposal/ Write-Off
Dear Dejan, Hope you are doing fine. We are glad to inform you that we are officially an ISO 27001 certified Company now. Thank you for your support and toolkit. We need your advice in the IT assets disposal/write-off, our query is we recently gave few laptops to our staff since there previous laptops were old enough, please suggest a suitable and universal method accepted by Auditors to dispose them as per controls A.8.3.2 Disposal of Media and A.11.2.7 Secure Disposal or Re-use of Equipment and return the old laptops to staff for their personal use. Basically, we need to know what proofs we need to keep to show the auditors that the disposal/write-off has been done in compliance with ISO 27001. Thank you in advance. -
Conformio - Company Settings and Users
1 - When completing the Risk Register are we choosing the Assets / Threats and Vulnerabilities without any controls in place? We are then to add existing controls into the Treatment Plan? 2 - Also, in terms of an asset register for 27001 Compliance, is the asset list deemed sufficient on Conformio or should we have an asset list that details each asset a user has along with an asset tag? User A – Mobile001, Laptop001, Tablet001 User B – Mobile002 Etc etc -
ISO 27001 Conformio expert question
So, at the moment, I cannot see any documents populated under the Documents module of the software. I assume it's because this is a trial account but will have all the necessary documents available once we purchase the full version. Is this where all the ISMS manual sections (e.g., Context of the organisation, Leadership, Planning, Support etc.) would be housed because the flow of items on the homepage of the software doesn't necessarily have you working to complete the ISMS manual first I don't think. -
Paper documents found in warehouse
I’ve just found a bunch of paper records in our warehouse, mostly supplier contracts and VAT receipts (financial records). Do these need to be kept in a locked cabinet? I believe so but wanted to check. -
ISO 22301 toolkit - disaster recovery plan
I am currently preparing a business continuity plan using the ISO 22301 documentation from Advisera. Question #1 The company is quite specific. The basic IT infrastructure is provided by the parent company, while the IT infrastructure for our main product is located on the servers of the hosting provider. I wonder if there is a need to have a separate dedicated disaster recovery plan, instead of specific activity recovery plans. One of the activities in the company is responsible for the development of the main product and the procedures for possible restoration of the main product will be on their side. On the other hand, recovery after a disaster in matters related to other software provided by the parent company is the role of the parent company's IT and it has its own disaster recovery strategies and procedures. In your opinion, can I skip the separate disaster recovery plan in such a situation? Question #2 Is chapter four of the business continuity recovery plan template sufficient against standard clause 8.4.5? Or should I supplement my recovery plans with additional steps?