Please select user.Assign
There are no topics yet.
After reviewing what we’ve done so far for the ISO27001 implementation, there has been a bit uncertainty about the implementation of ISO controls.
Before starting with ISO27001 we already did a lot of things as secure as possible.
This has been resulting in not a lot of risks in our risk assessment and not many controls stated applicable in the Statement of Applicability.
I read on various articles that the SoA should probably have 80 – 90% of the controls stated applicable, whereas we only have a handful at most.
My question is whether we’re doing this right or might be misinterpreting something. Or perhaps our approach has been inadequate.
So far we’ve identified a few risks, decided which controls we should implement, and implemented those with help from the toolkit and videos. Hopefully you could give us a new perspective and help us find hidden risks.
Is there a difference between ISMS responsible and CISM?
Can we be gdpr and iso27001 compliant with 1 employee? 2 employees? And working with freelancers/consultants
I hope you're doing well. I watched the ISO 27001 Lead Auditor Exam training videos and found them to be very useful! Thank you for offering this free training. I am leading the ISO 27001 internal audit efforts at my company for the first time this year and wanted to seek your guidance. Our company's ISMS is ISO 27001 certified and we also have a SOC 2 Type 1 certification.
1. Are we required to include the SOC2 controls in the ISO 27001 Statement of Applicability?
2. If we were to add all of the SOC2 controls this year, would all these controls be tested during this year's external surveillance audit? I'm planning out the scope of the internal audit and which controls to test, but we have limited resources and time. It seems duplicative to me to include the SOC2 controls since those are tested independently as part of the SOC2 audit. I understand an internal audit is not required for the SOC2 certification, but I see the benefit of performing an internal review to identify issues that could be mitigated before the SOC2 cert audit.
Which section of iso 27001 mentioned o confidentiality?
1. How to start documenting Statement of Applicability.
2. What approach to follow?
3. Who all should one interact with?
What are the more critical areas to prioritize focus during implementation?
What system/application you recommend to control documents, incidents and other stuff from ISO standards?
What KPIs will be the best to choose for monitoring metrics?
The question is: what is considered ‘business-relevant data’ as mentioned in the document ‘A.8.2 IT Security Policy’ and is there a list that we can use to help us identify instances of this?