Get a 20% discount on the first year of the Company Training Academy annual plan.
Limited-time offer – ends April 24, 2025
Use promo code:
CTA20

ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 9001:2015 ISO27001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Inventory of assets & risk methodology

    1. How detailed and far does the inventory of assets need to be? (do we need to list each laptop and cell phone for example)

    2. When a risk assessment is performed does the risk owner have to do a risk assessment on all the assets every year or the assets that are deemed to be threats or vulnerable.

    3. Why is the inventory of assets not listed under the reference document as well as 3.1.2 in the Risk assessment and risk treatment Methodology document?

  • CISO and document management

    Two questions arose regarding the documentation toolkit for ISO 27001:

    1. Is it okay if a Chief Information Security Officer (CISO) also releases documents (instead of the CEO)?
    2. Can we omit the chapter "Managing records kept on the basis of this document" for the document "00_Procedure_for_Document_and_Record_Control"?

    Thank you in advance!

  • Stage 1 and stage 2 in internal audit

    Hi, I would like to know more about stage 1 and stage 2 in the internal audit. Will be great if the expert sends me an email about stage 1 and its contents and stage 2 as well, for the ISO 27001 2013 internal audit.

  • Corporate Branding policy

    Hi! We are considering strengthening our control for our corporate logo by creating a Corporate Branding policy. However, I am not sure what control objective of the ISO 27001 will be most applicable for this. Can you help me? Thanks.

  • Controls from section A.18

    6 - In the Demonstration Kit, in the ANNEX A folder, we did not find any demonstration documents that deal with item A.18, is this item disseminated in other documents?

  • Questions about scope, requirements and controls

    Hello, 

    Here are some questions. Not the ten from this month. I hope it is ok to send them in several batches.

    Thank you very much in advance for your help!

    Questions:

    03- Scope template:

    1.1.            Processes and services  [Specify the services and/or business processes which are included in the scope]
    Q1- Must this include a list of all programs, sharepoints, SaS, etc? or is just a high-level description like "aplications developped"?
    02 - Procedure for requirements identification for interested parties

    Q2 -Shall we detail all contractual requirements,one by one,  or only those that could impact information Security? Do they need to be listed for each customer or can they be grouped? for example, if there is a legal requirement about time retention, can we just assign different contracts/customers to this requirement, or better list customer by customer even if the requirement is the same? We dont know how detailed this must be.
    Assets and controls 

    Q3 - People can be assets (eg the IT Admin), How many of the employees is recommended to include in the assets? All our employees or just the ones in key positions
    Q4 - Assets and Controls:  We are considering selecting around 150 assets, 110 of them applications or with some technical dependencies. This results on a lot of controls that apply to each asset. So far, we have this information in excel sheets. One per each asset, with all the pertinent control. How do you suggest managing this amount of information? Is there any tool, besides excel, that could help managing all this information? For the auditing process, do we need to maintain this excel sheets/information? We haven't see any reference in the mandatory requirements, only those to risk assesment, SoA,etc.

  • ISO 22301 as a market edge

    How can ISO 22301 certification give a 'marketing edge' to an organization? (similar to ISO 9001 in the 1990s)

  • Risk Control Table

    I will look forward to hearing from the expert.

    https://i.imgur.com/4sFGP38.png

    In the example above in the screenshot I have given the consequence score of because of the existing controls. But should I be putting in the score prior to consideration of controls, which would be a' and then putting the lower Risk score into the Risk Treatment Table after consideration of the controls, even though they are already in place?

  • Listing mitigated risks in RAT

    1 – In the RAT, presumably I do not list risks that are already mitigated?

    2 – Is it possible to see an example of a real and completed RAT, preferably for a SaaS business?

  • Risk assessment

    I also have questions about risk assessment. I am asking for guidance in relation to the following questions:

    1. The risk assessment methodology document is the same for 22301 and 27001? There is no direct reference to ISO 22301 in the sample document, only ISO27001. Is it appropriate in case I'm not only implementing 27001? Let’s suppose I implement ISO 22301 or possibly ISO 22301 + 27001 simultaneously.

    2. Do I understand correctly that risk assessment should cover all business processes / activities involved in the business continuity management system?
Page 95 of 544 pages