Get a 20% discount on the first year of the Company Training Academy annual plan.
Limited-time offer – ends April 24, 2025
Use promo code:
CTA20

ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 9001:2015 ISO27001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Training sessions

    Just wondering, after giving the awareness workshops, there should be a survey to be filled in by the attendees, would you tell me what questions to be asked and how the results or statistics would help me later on.  In other words, why I am conducting a survey, how should it help me to determine my next steps . also, in case if I am doing a report for management, what should it include for decision making?

  • Question on enterprise risk management framework

    I bought your book Becoming Resilient.  It has been helpful. I just started reviewing your blog. I am developing a BC framework for a company that has nothing. Your book and blog are good resources for this effort. I have also been tasked with developing an enterprise risk management framework. I have been reading up on COSO’s 8 key components that comprise an ERM framework: 1. Internal Environment- Management sets a philosophy regarding risk and establishes a risk appetite.  The internal environment sets the basis for how risk and control are viewed and addressed by an entity’s people.  It is critical that upper management express the importance of ERM throughout all levels of an entity. 2. Objective Setting- Objectives must exist before management can identify potential events affecting their achievement.  ERM ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite. 3. Event Identification¬- Potential events that might have an impact on the entity must be identified.  Event identification involves identifying potential events from internal or external sources affecting achievement of objectives.  It includes distinguishing between events that represent risks, those that represent opportunities, and those that may be both. 4. Risk Assessment- Identified risks are analyzed in order to form a basis for determining how they should be managed.  Risks are associated with objectives that may be affected.  Risks are assessed on both an inherent and residual basis, with the assessment considering both risk likelihood and impact.  Risk assessment needs to be done continuously and throughout an entity. 5. Risk Response- Personnel identify and evaluate possible responses to risks, which include avoiding, accepting, reducing, and sharing risks.  Management selects a set of actions to align risks with the entity’s risk tolerances and risk appetite. 6. Control Activities- Policies and procedures are established and executed to help ensure the risk responses management selects are effectively carried out. 7. Information and Communication¬¬- Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities.  Information is needed at all levels of an entity for identifying, assessing, and responding to risk. 8. Monitoring- Then entirety of ERM is monitored, and modifications made as necessary.  In this way, it can react dynamically, changing as conditions warrant. Do you have any additional suggestions or advise as I embark on this journey?

  • ISO 27001-Advice- Clause 6.1.3 d)

    I would like your point of view on the following: https://i.imgur.com/nStBOaI.png I am confused about how to interpret this clause If I had an SoA with the following columns, will it meet the requirements of this clause: https://i.imgur.com/Kw0pnmW.png or should it be like this to meet the requirement? https://i.imgur.com/B2HkVYb.png

  • Annex A.16

    Hello Support, I am working onISO 27001 – Annex A.16: Information Security Incident Management in our organization. How should companies define roles and responsibilities when they are dealing with multiple incidents that need to be handled by separate departments? For instance incidents related to SFTP server and SQL server should be forwarded to IT department but our SaaS service issues should be forwarded to software development department. Also, I know in the tool kit we purchase there is an incident management procedure which I can edit it based on our organization, but I wonder if we should have multiple different incident response plan for different incidents or not.

  • Question about IT Security Policy

    1. A small query, the "A.8.2_Politica_de_seguridad_de_TI_Premium_ES" mentions as prohibited activity the one that I highlight in red below, however, it is not entirely clear to me what it refers to, please clarify? https://i.imgur.com/ULY6r68.png 2. In relation to the same document and even the same section, I would also like to understand the reason why the use of cryptographic tools is prohibited, which has been the point before the one I asked you first in this same mail thread. Greetings and thanks in advance, I look forward to both feedbacks.

  • Procedure for Identification of Requirements

    Hi Good morning, could you please help me with the following information? Referring to this document.  - 02_Procedure_for_Identification_of_Requirements_EN 1 - We have two Business units. One located in site A and the other here in the site B. The unit that will be certified will be that of the site B. Do I need to include information from site A as well, such as laws and regulations? 2 - Another question, do we need to specify names and type of customer contract?

  • Toolkit question

    I am asking the toolkit we just purchased is usable for our cloud and non-service an infrastructure, correct? Ok, in another word I would like to know is our product include ISO 27001 DOCUMENTATION TOOLKIT - SIMPLE IMPLEMENTATION https://advisera.com/27001academy/iso-27001-documentation-toolkit as well?

  • Relation of ISMS with CMM level

    You had been answering my queries successfully for so many years. So, I have one more question.

    What is the difference in ISO27001:2013 implementation for an organization that is operating at CMM level 3, level 4 and level 5?

    Is my question relevant? I believe, difference would be in managing risks.

  • Converting numeric revision

    I have a query on configuration management.

    Do any standard reference on converting numeric revision upon the documents are approved.

    For example, technical drawings once cleared for Good for Construction status from it's detailed design, it is not mandatory to convert the revision to zero and issue?  Though we had followed in all our earlier organizations, do any standard reference for this?
Page 93 of 544 pages