Get 30% off on toolkits, course exams, and books.
Limited-time offer – ends May 26, 2022
Use promo code:

ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • ISO 27001 certifications

    We are at the very beginning of thinking about 27001 certification. We are learning about the standard. If we go further, we will have to surround ourselves with people who are ISO 27001 certified. So, my questions: 1. Is it worth it for me to obtain the ISO 27001 Foundations certification? I would like to get it in April 2022. 2. Are “Lead Implementer” and “Lead Auditor” certifications still adequate?
  • Question regarding ISO Process

    Is the best step forward to now trying to map the risks against the SOA and hand out responsibilities for controls? Or should we instead focus on the risk treatment for our "red" risks?
  • Question about ISO22301 template

    1 - I am looking for an example of a process dependency matrix. 2 - I am also buys with a very big clients BCP. They have quite a few emergency and evacuation and other plans (SHE, Fire) being a power station. How does one integrate these into the BCP and how do I link this to the Incident management process?
  • Software Password Storage

    Hi Guys Regarding Software Assets, we have identified a risk that if the passwords/keys for the software are misplaced we no longer be able to use that asset. The control we have implemented is to store all such passwords/keys in a password safe. My question is which document should this control be recorded in? The “Password Policy” document seems to be focused solely on user passwords, not software/keys.
  • Clause 4.3: ISMS scope

    Good morning. I got a question about clause 4.3: ISMS scope. I described as a scope that all data needs to secured. I find it logic because its the goal of the ISO27001. My question is which angle to look at while making the scope precise.
  • Confidentially statement

    Within the mandatory doc list, it is essential to provide the Confidentiality Statement doc. Within the Confidentiality Statement Doc it asks you to re word the confidentiality statement if just for employees, to say the following: If this Confidentiality Statement is signed by employees, replace this text with "... I will share confidential information only in accordance with the Policy for Handling Classified Information and other documents of [organization name]." But…. The Information Classification Policy is not mandatory. Please can you advise?
  • NIST 800-53 vs ISO 27001

    I will like to know which is a better framework for financial organisations - nist 800-53 or iso 27001
  • Questions about Stage 1, and Scope

    Dear Dejan, We have already passed Stage 1 successfully with the recommendation from the auditor to move to Stage 2. Thank you very much for all your support and information!! Nevertheless, a little situation arose from the Stage and maybe you can give us some suggestions. In our company we develop and maintain Software and Hardware (we have a pull of 80 developers).  We defined our scope with the idea to include just process that support our development process: “The information systems that support the following services are part of the ISMS scope: o    Design, development. deployment, maintenance, and support of Software for localization devices for Industry, Automotive, Sports, and Personal protection o    Design, deployment, and support of Hardware of localization devices for Industry, Automotive, Sports, and Personal protection.” During the Stage 1 the auditor commented us that we should include all the developers within the scope, and thus include/raise the correspondent days and money. Or exclude the Development controls from the SoA and have a Scope like this without auditing the development: “The operation of information systems that support the following activities and services: o    Design, development. deployment, maintenance, and support of Software for localization devices for Industry, Automotive, Sports, and Personal protection o    Design, deployment, and support of Hardware of localization devices for Industry, Automotive, Sports, and Personal protection.” Does the inclusion of all the developers make sense to you? They work in different projects but basically work in the same way regarding the ISMS. We may have team leaders, developers, and working students but all categories work in the same way. What could we argument against this decision/suggestion? Thank you very much in advance
  • ISO/IEC 27001/2 Harmonization

    The harmonization of 27001 / 27002 will be planned in 2022. Standards like 27017/18 and 27701 should also be harmonized. Is there also a timeline when this will happen?

  • DMS/Apps - information/content delineation questions

    We are trying to understand / get a clear definition of the delineation between DMS and Application information/content, Background Currently we use Dropbox, Fibery Collaborative Docs & Whiteboards, and HubSpot to store company documentation and files. The content of each is not managed in anyway and has grown organically. For our ISO 27001 DMS our intention is to use a new separate folder area within Dropbox to store the ISO Documents are records, and related PowerX documents, and use a Register (spreadsheet) to list all assets and provide a hyperlink to the folder where they are stored. Questions 1. What we are getting confused over is, what information/content can stay in Fibery and Hubspot (and other Collaborative apps like Confluence – which we will be using) and what we need to move into the DMS.  Is there any guidance on how to approach this? For example, if we leave ISMS related content in Fibery and point the hyperlink to the content is that OK ... 2. Another question is, most 3rd party apps provide features to create documents. For example, Fibery has a document function to create docs to their standards. However, they do not have the fields to store many of the ISO Document standards, like control info. and classification type. And access can be open to anyone authorised. Would it be fair to say, that any ISMS related documents and records should not be stored in such an App. ?
Page 9 of 495 pages