ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Risks treatment

    Yet another question. Since our company is in the early stages and consists of a small organization, we are able to easily change our ways of working. This means we can also prevent getting into situations where we have risks which are unacceptable.

    As I understand it, if we're able to implement all relevant controls before entering any ISO27001 certification, then we should be able to completely ignore documents such as the ones regarding risk treatment. This would mean that status for all items in Statement of Applicability is either set to not applicable, or fully implemented. Can you confirm that we are able to ignore the documents related to risk treatment in this case? Also, is it common to do it like this?

  • Clause 4.2 that will lead to the Mandatory document of control A.18.1.1

    Clause 4.2 that will lead to the Mandatory document of control A.18.1.1 inventory of assets - Do you have a Template of this Please ?

  • What ISO Standard does ISO 27001 Auditor follow during Audits?

    Trust you are doing well. We profited a lot from your explanation and course. I have a question which I wanted to ask you:

    What ISO Standard does the ISO 27001 Auditor follow during the Audits?

  • ISO 27001 vs ISO 27002

    Can you tell me what's the difference between 27001 and 27002? Which standard contains mandatory steps and which just contains best practice advice? How can you tell?

  • Register of Requirements — how detailed should it get?

    Hi, I'm using Confirmio to build out our ISMS and I'm on the Register of Requirements step.

    I'm trying to get a sense of the downstream impacts of being too detailed (or not detailed enough) here, and whether or not to be aspirational (i.e. list things we're not compliant with yet) or leave them out.

    Some examples:

    - A single contract could provide dozens of clauses that each map to a different area within cybersecurity (e.g. privacy, data breach reporting, operational security, secure software design, service level agreements, etc). Do I break down the contract terms into chunks? Or do I add just the contract as a single record? 

    - There are some government policies in place that apply to our customers but not directly to us. It obliges them to implement contractual terms and controls on us, and in some cases they haven't yet this done. So in a strict sense we're not on the hook for these yet, but I'd like to plan to become compliant over time anyway. Do I add them and check non-compliant?

    So my questions are really two-fold:

    First, what is the downstream impact of adding these items? Is it more onerous to then complete the ISMS set-up with more items here? Is simpler better? What do auditors expect?

    And second, what is the impact on having items in this register in a "non-compliant" status as it applies to certification? Does everything need to be green within these registers before we can be certified, or is a working system with non-compliance being tracked of greater interest to an auditor? 

    I'm interested to hear what's worked for others in the real world who've achieved compliance. We're only a small team.

    Thanks in advance!

  • How to find and choose a good certification body for ISO 27001

    A client of mine wants to be ISO27001 certified, how do you choose which certification body to use, and what is the price of getting the certification.

  • GDPR Certification Exam

    Thank you for your continued support and advice, it is greatly appreciated.

    1 - It is my intention to write the GDPR Certification Exam the end of this Month.

    I trust that this will create the Environment that will enable me to write both ISO 27001 Lead Implementor and Lead Auditor Exams.

    2 - I would really appreciate any Communications regarding progress on Creation of Advisers POPIA Content and an opportunity to present same to a number of Corporate and Government Clients in our portfolio.

    Please be assured of my commitment to broadening my ISO Certifications based upon the Advisers offerings

  • ISO 27001 - Capacity SaaS

    Hello - I have purchased the ISO27001 Toolkit and the auditor asked about capacity planning reporting for SaaS like Microsoft 365 apps (Devops/Sharepoint).

    In Short - how do you address capacity planning in SaaS which is out of your control ?

    He points to cpu and utilisation, but even though i explained this, his says that i should still have oversight and be able to check the capacity of the services provided. I am not sure if i could or should or be allowed to exclude the hardware of the SaaS provider in my scope ?

    I hope you can advise.....

  • Information/data retention and destruction policy

    I currently need to create information retention and destruction policy and was hoping you might have a template and/or examples we could use.

    We purchased your ISO27001 documentation package a couple of years ago and have implemented (but not certified) using those docs. I went through the ones we didn’t use and the only one that appeared to be possibly appropriate was A.11.2. Any guidance would be appreciated.

  • Method or methodology to implement ISO 27001 requirements

    As I understand, ISO 27001 is a standard, a set of requirements to be met by a company to be compliant with. But ISO does not provide a method or a methodology to implement the requirements. Is that true ? If yes, could you please name a widely accepted method or methodology to do so.

Page 9 of 470 pages