ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Procedure for Identification of Requirements

    Hi Good morning, could you please help me with the following information? 
    Referring to this document.  - 02_Procedure_for_Identification_of_Requirements_EN

    1 - We have two Business units. One located in site A and the other here in the site B. The unit that will be certified will be that of the site B. Do I need to include information from site A as well, such as laws and regulations?

    2 - Another question, do we need to specify names and type of customer contract?

  • Toolkit question

    I am asking the toolkit we just purchased is usable for our cloud and non-service an infrastructure, correct? Ok, in another word I would like to know is our product include ISO 27001 DOCUMENTATION TOOLKIT - SIMPLE IMPLEMENTATION as well?

  • Relation of ISMS with CMM level

    You had been answering my queries successfully for so many years. So, I have one more question.

    What is the difference in ISO27001:2013 implementation for an organization that is operating at CMM level 3, level 4 and level 5?

    Is my question relevant? I believe, difference would be in managing risks.

  • Converting numeric revision

    I have a query on configuration management.

    Do any standard reference on converting numeric revision upon the documents are approved.

    For example, technical drawings once cleared for Good for Construction status from it's detailed design, it is not mandatory to convert the revision to zero and issue?  Though we had followed in all our earlier organizations, do any standard reference for this?

  • How to send password to encrypted document sending by email, if we only have recipient email address?


    I have a problem with sending sensitive data via email securly .The file I want to send is already encrypted but the recipient need a password to decrypt. I always send such passwords by different communication channels, but this time I only have recipient email address. What would be the best way to send such password?  In separate email? Or maybe You can addvice me a better way to protect sensitive date sending by email if I only have recepient email?

    Thank You in advance for your sugesstions

  • Toolkit content

    Today we downloaded the toolkit for creating ISO 27001.

    We noticed that appendix A_6.1 does not contain a document "internal organization" that the points of the declaration of applicability 6.1. contains:

    A.6.1.1 - Information security roles and responsibilities
    A.6.1.2 - Segregation of duties
    A.6.1.3 - Keeping in contact with authorities
    A.6.1.4 - Keeping in contact with special interest groups
    A.6.1.5 - Information security in project management

    Our document 6.1. is the regulation on BYOD. Is there a document missing or could you send it to us?

  • Consent for processing children's data in the EU

    Please give an overview of the topic you wish to discuss, and your particular situation.:

    We are a Market Research firm based in ***. We conduct market research surveys on Gen Z and Millenials (13-39) and just moving to international data collection. We use panel providers so do not have our own panel of participants. I'm trying to write our first Privacy Notice and am struggling with stating rights for revoking parental consent to processing of children's data. While we collect sensitive information like (gender, age, ethnicity, etc) we do not collect email address, names, addresses which would be personally identifiable. Howevever, to ensure data integrity we do collect IP Address automatically in our surveys along with other geolocation data. This is only used to ensure survey participants are truly from where they say they are from and that they are not repeat participants for that particular survey. After the survey is complete and we have reviewed for accuracy we remove that information from the data rendering the other data anonymous. If we tell them they can withdraw consent even within that 14 day period though the likelihood of use locating the exact record for that respondent is very slim. Is it ok to state that? For example: "If the legal basis for processing is parental consent you have the right to withdraw your consent for processing. Due to the limited information we collect, however, location of the data may not be possible. However, we will make every effort to do so. If you wish to withdraw consent to the processing of your child’s data please email ***."
    Any help greatly appreciated.

  • Knowing ISO 27001 and ISO 22301

    Buen dia, una pregunta, quisiera saber sobre las normas de seguridad de la información   ISO 27001 e ISO 22301, se puede hacer de manera libre o gratis y luego certificarse?

  • End of life and ISO 27001

     I hope you are well and you have been having a great week so far. I was wondering could one of your highly experienced consultant answer the following ISO 27001 question.

    Part of ISO 27001 we need to main an end of life process for equipment’s and maintain a system of managing re-use of the same equipment lets say in the scenario someone leaves the company etc. My question is we are 100% remote based working from several location around the world for example ***, *** and ***. How do devise a plan for such a scenario. Genuinely don’t know how to approach this. Should we pay a third – party company to manage if so how does the different location and lack of physical office structure come into play.

  • BIA and Risk Assessement


    I am done with BIA with 3 departments and now I am working on the BC strategy and BC Risk Assessement. I need some help in clarifying the doubt with example that how will RA going to help me in my BC strategy and BC plan in a more rounded manner. 
    I am not able to understand the link between the RA and BC plan and strategy. 
    I need a simple example to understand the link between the three. 
    Please can anyone answer my question.



Page 9 of 461 pages