ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 9001:2015 ISO27001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Document 14.1

    Can you explain how document 14.1 should be filled out? I understand that there's some relationship to the risks listed in document 5.1, but I'm not sure which assets are required to be listed in document 14.1. To be more specific, we're running a SAAS company with at least these three types of information systems: Software used in internal development. The software that we develop. Note that the version of this software changes as we're developing it. The software that runs in the production environment. I'm not sure which ones of these should be listed in 14.1.

  • Security and Privacy

    My question was regarding that, what is the difference between 27001 and our ’Security and Privacy’ protection for patients’ data?  I am trying to understand if we get ISO 27001 certificate, do we still need to obtain separated privacy and security protection or not?

  • Risk Assessments for Early Start up

    I am putting our together our first Risk Assessment.  As a small start-up (10 people) with limited assets, I was hoping to put together a simple Risk Assessment with more generic items. I took these lists from different NIST Standards.  Do you believe this would create a compliant risk assessment: Asset List: Person, Organization, System, Software, Database, Network, Service, Data, Computing Device, Circuit, Website Threat Options: Adversarial, Accidental, Structural, Environmental, Vulnerability Options, Information -Related, Technical – Architectural, Technical – Functional, Operational/Environmental Basically, are these categories too broad to be used in a compliant risk assessment?

  • Defining scope of application and scope for ISMS

    How do I best define the scope of application and scope for the ISMS? Our web application processes data from ERP systems and documents that are exchanged via them.

  • BC Strategy

    Hi, I am implementing ISO 22301:2019 standards in my organization. I have different dept. in scope and currently I am drafting and designing the BC Strategy document for all these dept. I have some queries which are as below. With regards to the BC strategy solutions like People, Facilities, Data, Human Resource, transportation, finance and 3rd party. As I need to consider all these solution and options, and I am implementing it in one organization which has same
    • Alternate working location
    • Transportation channel to alternate location
    • HR dept. to provide the people for work.
    • Financial dept. to reimburse for any finances
    • IT DR location and IT application which is managed and backup by single IT dept.
    Based on above option, I assume that all dept. will have more or less the same strategy with respect to above solutions. Please correct me if I am wrong. Only option they will differ is the suppliers which can be differently handled by different departments. Please suggest me with your advises on above.

  • Audit report

    say you completed an audit, submitted the audit report to top management for review. Now that management has read the report, they disagree with some of the findings. What is the best or common practice to address such feedback in relation to the report that has already been finalized?

  • 12.7 Internal systems audit considerations

    12.7 Internal systems audit considerations Hope you’re doing well, can this clause be covered by our internal audit?

  • Smart devices

    I am conducting research regarding smart devices and how they can be hacked and what is the EU cybersecurity acts responsibility for this.  I need to compare the EU framework to ISO27001 to see which one is better and more useful

  • Incident Management

    Please advise if the Advisera template for A.16_Incident_Management_Procedure in ISO27001 toolkit is aligned with ISO27035:2016 which is a requirement for us as per regulatory/legal/license requirement.

  • Risk owner problem

    Hello, With reference to the risk assessment methodology (risk assessment for ISO 22301 purposes). Who is the owner of the risk if the company to be analyzed uses IT solutions provided by a related company in the capital group? Example: Company X (it is subject to risk analysis in connection with ISO22301) uses an accounting program. Company Y (an IT company from a capital group) provides the program. Will the asset owner, for example, be the IT Director of company Y, and the Accounting Director of company X the owner of the risk? Who should assess the risk for company X in this case? I think he's an employee of Company X, but I'd like to make sure.   Best regards,
Page 85 of 544 pages