ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Implementing information security continuity

    I have two questions. First, about SoA and selection of control A.17.1.2 Implementing information security continuity.

    1. In ‘06 Statement of Applicability’ > ‘Implementation method’ is [Business Continuity Plan] while In the ‘List of Documents ISO 27001 ISO 22301’ there is marked that
    ’Appendix 6 – Disaster Recovery Plan’ is mandatory document for A.17.1.2.
    I may have understood this wrong, but I am confused what one should choose to document if A.17.1.2 is seemed applicable?

    2. Second, if one should seem that Disaster recovery should be in place in the Company but A.17 Information security aspects of business continuity management are not applicable, should one use only ’Appendix 6 – Disaster Recovery Plan’ to document recovery?

  • Executives involved in ISO 27001

    1. How and which Executives need to get involved in ISO 27001.

    2. Which documents need to be overseen by them specifically?

  • ISO 22301 certification

     I have two questions and I hope you can help finding the answers.

    1. When looking for certification in *** I realize that there are not really a lot of people with experience in 22301. I talked to *** and they all struggle to find a proper contact to talk to. On the ISO Website, I saw the 2018 survey than resulted in a total of 1128 certifications worldwide and only 7 in ***. Do these numbers seem correct to you? Do you know German companies with a 22301 certification?

    2. We realized that a cyber attack is a very likely threat. As Financial Services we rely heavily on our IT department (who is in the process of getting certified by 27001). How can we handle that in the scope of the BC Plan? Is it OK to delegate the responsibility to IT or do we have to come up with our own detailed plans? We need to come up with ideas and plans on what to do when such an incident occurs and how we e.g. bridge the first hours and days, but it is difficult to take ownership for fixing the IT part. How can that be handled?

  • ISO 27001 implementation

    Hi I'm trying to get a start on implementing iso27001 for my approx 250 person company.

    1. In addition to the kit I bought from you I purchased the standard from iso... I now realize I should have also bought 27002 so I can get more details on the controls. Is there a package you recommend that has everything I need in it? I'd prefer to get that instead of having to keep asking my cfo for permission for each thing.

    2. Also, I've done the foundations course but I am still feeling a little overwhelmed with where to start... I think risk assessment methodology is the place, but not sure.

    3. I've started going through the docs and updating them with our company info etc and the roles I expect for certain things but not sure if that is the right thing to start with. Thanks in advance for any direction

  • The best combination to use for IT Audit

    what is the best combination to use for IT Audit from COBIT, ISO and ITIL

  • ISO 27001 compliance testing

    Hi. I wanted to get a high-level view of the types of testing i should do for ISO27001 compliance for a new website being built, and the ball-park cost estimates of the price I should be paying an external organization to do that testing?

  • Risk Assessment

    Our organization is ISO27001 certified. Now we need to go for risk assessment. I am confused as our external consultant company is saying that they are using Risk Assessment Matrix as per ISO 27005 & ISO 27001.

    whereas our newly hired auditor is saying that the external consulting company is wrong and we should use Nihari or Octavia..

    My question is that as an ISO 27001 certified organization what should we use?

  • BAU activities

    I missed the live session but really enjoyed the recorded version. During the session, you mentioned that it is possible to ask from you directly. I have this project to get this company ISO 27001 certified, this is a small company in the *** with 3 employees in there, 2 developers in ***, and about 40-50 customer service agents in the ***. They are collecting medical records for lawyers and actually, the *** based team is carrying out the BAU work scanning the documents, etc. *** staff only do sales and management, so the operation is fully at a remote location. The persons there are not employees but like sole traders, using their own devices to access the company’s portal to manage the documents.

    We want to save money to limit the certification to the US company, so the auditors won’t need to visit the Philippines, however, the ISMS scope needs to be the operation and management of the medical record collection and handling service.

    I’m thinking to recommend to the client to handle the BAU activities as outsourced, and we will set the controls from A.15.

    I would appreciate your input.

  • Evaluating the effectiveness of the procedure

    Hello!. We recently purchased the ISO 27001 toolkit and I was wondering why the procedures state what to check when evaluating the effectiveness of the procedure? Where is that requirement from?

  • Recording ISMS Internal Audit Findings

    How can I record ISMS Internal Audit Findings?

Page 9 of 389 pages