ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit AS9100 Product: EU GDPR Documentation Toolkit
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Mandatory and non-mandatory documents

    Your website (https://info.advisera.com/27001academy/free-download/checklist-of-mandatory-documentation-required-by-iso-27001) indicates MANDATORY Documents and NON mandatory Documents. Yet you say for the NON MANDATORY - "However, I find these non-mandatory documents to be most commonly used:"

    1 - So what are the Documents needed to pass and What documents are NOT, and Still Pass the ISO 27001 cert?

    2 - Are you saying the List you show in the List are the Items We dont Need?

  • ISO 27001 Lead Implementor - need to maintain certification

    Hi,


    As per the subject - if I were to sit and successfully pass the ISO 27001 Lead Implementor Exam does this certification expire or need renewing agter a period of time?

    Thanks
    Lee

  • BIA or RA

    Thank you Dejan for addressing my question during this webinar.

    My confusion is which one comes first BIA or RA. Also, how can the results of the RA be used in the BIA?

  • Inventory of assets & risk methodology

    1. How detailed and far does the inventory of assets need to be? (do we need to list each laptop and cell phone for example)

    2. When a risk assessment is performed does the risk owner have to do a risk assessment on all the assets every year or the assets that are deemed to be threats or vulnerable.

    3. Why is the inventory of assets not listed under the reference document as well as 3.1.2 in the Risk assessment and risk treatment Methodology document?

  • CISO and document management

    Two questions arose regarding the documentation toolkit for ISO 27001:

    1. Is it okay if a Chief Information Security Officer (CISO) also releases documents (instead of the CEO)?
    2. Can we omit the chapter "Managing records kept on the basis of this document" for the document "00_Procedure_for_Document_and_Record_Control"?

    Thank you in advance!

  • Stage 1 and stage 2 in internal audit

    Hi, I would like to know more about stage 1 and stage 2 in the internal audit. Will be great if the expert sends me an email about stage 1 and its contents and stage 2 as well, for the ISO 27001 2013 internal audit.

  • Corporate Branding policy

    Hi! We are considering strengthening our control for our corporate logo by creating a Corporate Branding policy. However, I am not sure what control objective of the ISO 27001 will be most applicable for this. Can you help me? Thanks.

  • Controls from section A.18

    6 - In the Demonstration Kit, in the ANNEX A folder, we did not find any demonstration documents that deal with item A.18, is this item disseminated in other documents?

  • Questions about scope, requirements and controls

    Hello, 

    Here are some questions. Not the ten from this month. I hope it is ok to send them in several batches.

    Thank you very much in advance for your help!

    Questions:

    03- Scope template:

    1.1.            Processes and services  [Specify the services and/or business processes which are included in the scope]
    Q1- Must this include a list of all programs, sharepoints, SaS, etc? or is just a high-level description like "aplications developped"?
    02 - Procedure for requirements identification for interested parties

    Q2 -Shall we detail all contractual requirements,one by one,  or only those that could impact information Security? Do they need to be listed for each customer or can they be grouped? for example, if there is a legal requirement about time retention, can we just assign different contracts/customers to this requirement, or better list customer by customer even if the requirement is the same? We dont know how detailed this must be.
    Assets and controls 

    Q3 - People can be assets (eg the IT Admin), How many of the employees is recommended to include in the assets? All our employees or just the ones in key positions
    Q4 - Assets and Controls:  We are considering selecting around 150 assets, 110 of them applications or with some technical dependencies. This results on a lot of controls that apply to each asset. So far, we have this information in excel sheets. One per each asset, with all the pertinent control. How do you suggest managing this amount of information? Is there any tool, besides excel, that could help managing all this information? For the auditing process, do we need to maintain this excel sheets/information? We haven't see any reference in the mandatory requirements, only those to risk assesment, SoA,etc.
Page 95 of 544 pages