Take the ISO 27001 course exam and get the
EU GDPR course exam for free

ISO 27001 & 22301 - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • ISO 27001 is being revised: Which standard revision should you implement?

    R u sure they fall in 13 n rev comes in 22 Your qn doesn’t expect me to ponder after 15

    Hope you are doing well I have some question about ISMS scope ISMS SCOPE DOCUMENT document does not include the following as you mentioned in your book "secure & simple" ISO 27001 says you have to do the following when defining the scope: Take into account internal and external issues defined in clause 4.1. Take into account all the requirements defined in clause 4.2. Consider interfaces and dependencies between what is happening within the ISMS scope and the outside world. and the last point also needs more clarification on how to do It, I mean other method rather than diagram.
  • Management review for ISO27001

    I just had a workshop in ISO27001 lead implementor. As a preparation for the audit, I need to prepare a management review, I would like your advice about the needed step for creating this document in ISO27001.
  • ISO 27001 Conformio questions

    1. In case we have to abide by requirements in several states because we are doing business with both, how should we handle these requirements in the context of ISO 27001 implementation? 2. In case we have defined a security objective and we fail it (i.e., our target was to decrease the number of incidents, and we see that they have risen) will this hamper my possibility of obtaining the certification. 3. How do we select a certification body?
  • How can we move to 27001?

    I have a question regarding the effort to move from the old version of 27001:2013 to the new one. What effort / resources shall we plan ? We have implemented 27001:2013 since 10 years…Do you have a guideline how to proceed?
  • Conformio - ISO 27001 Requirements

    I saw that based on the risks or tasks created when preparing the corresponding documents in the requirements section it states to include them in the doc, is that being done by manually adding the references in the editable sections or is there a different method? I have uploaded a screenshot as requested. As you can see in the requirements it states to be sure to resolve the listed risks. Should this be done by inserting some references in one of the editable portions or is it being done by the wizard in one of the steps? https://i.imgur.com/qEQfHVI.png
  • Questions about Scope of my ISMS ISO 27001:2013

    Good morning, You can help me with the following questions I would like to know what level of detail should be specified in the wording of the scope of the information security management system?

    1. Should I write the exact listing of all the information assets covered?

    2. Should I write the exact list of the information provided?

    3. Should I write the exact list of applications / software covered?

    4. Should I write the exact list of the physical offices covered?

    5. Should I write the exact listing of the databases covered?

    6. Should I write the exact list of websites / mobile applications covered?

    7. If I want to include all the information assets of my organization is it sufficient to write: "The scope of the SGSI covers all the information assets of the Organization" or do I have to be explicit by detailing all the information assets?

    8. Do I have virtual machines on Microsoft Azure that run critical applications, should I specify that the scope only covers the applications installed on these virtual machines that are on Microsoft Azure? or should I also include the virtual machines and their contents?

    9. We currently have corporate mail with GOOGLE, is mail a critical asset in our organization, should I also include it in its scope if a service provided by a third party? What considerations do you have in the writing in the link at the level of this service?

    10. Currently we send our customers emails and massive newsletters that contain important business information, are these emails and newsletters sent through a provider's software, should I also include it in the scope of a service provided by a third party? What considerations do you have in the writing in the link at the level of this service?

  • Legal and contractual requirements question

    Looking through our List of Legal, Regulatory, Contractual and Other Requirements documents, we had a question. As a small company that deals with commercial driving fleets, are we expected to have a long list of these requirements? Of the list of requirements that were listed on the article linked in the actual document, none really applied to us. We do not operate in individual states that have these requirements, so we had very few there. As a whole, it seems like we only have a few contractual requirements with our customers. Does that seem right?
  • Mapping of requirements categories to ISO 27001 controls

    Hi Dejan, Thanks for your reply and I understand what you are saying in the bullet points. However, I do believe my questions are still not fully understood. 1)      There may be a requirement for some controls for the HR department. We would then choose something like ‘Human Resources Security’ from the drop down list for the Area field, right? But my point is that there is no option for Human Resources Security available from the drop down list for the Area field. So my initial question some time ago was, why is Human Resources not listed as an area? Is this an omission (a bug) or has this been left out deliberately? And if so, why is this left out when all other control categories are available from the area drop down list. 2)      I understand the reasoning behind mandatory safeguards, but my question about that was where do these requirements show up in the SoA? Or do they need to be added to the SoA manually? I do believe that the combination of allowing the selection of an area together with the ability to specify individual controls would be taking the best of both worlds. I have made this suggestion to Aleksandra as art of request 63693. I still would very much appreciate to have a few hours of detailed training in the use of Conformio (like explaining the function of every field), as there are still areas that are unclear to me, that are not documented and that are costing me a lot of time getting them answered by sending emails to support and even going back-and-forth quite a few times, like about this issue. I would appreciate if some training is available in the short term.
  • Corrective actions and nonconformities

    How could the nonconformities found in the internal audit exposed in the corrective actions affect the external audit? What happens is that in the organization where I am, they are afraid that we will find majors or minors nonconformities, because they think that the external audit will be based on these results so they prefer just use nonconformities in general and do not use major or minor non conformities in the form.
Page 9 of 510 pages