Get a 20% discount on the first year of the Company Training Academy annual plan.
Limited-time offer – ends April 24, 2025
Use promo code:
CTA20

ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit ISO 9001 Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS Internal Audit register of requirements Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 9001:2015 ISO27001
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Certification maintenance

    Actualmente ya estamos certificados en ISO 27001 y nos gustaría saber cuales son los siguientes pasos para poder mantener la certificación

    We are currently certified in ISO 27001 and we would like to know what the next steps are to be able to maintain the certification

  • ISMS Scope Statement

    In the process of writing an ISMS Scope Statement. Can you please review and provide feedback if this will work for a Scope Statement or should I add or take away any words from the below statement.  Appreciate your comments!  Thank you!

    We are a clean and wastewater critical infrastructure business. Consulting and designing clean and wastewater facilities is our core business.  It is therefore our responsibility to establish a strong information security management and governance system to protect processes, services, data and assets of our business, employees, clients, contractors, vendor in relation to confidentiality, integrity, and availability.

  • Defining the scope of the ISMS

    We're working with the documents and the process goes well overall.

    I do have a question on defining the scope of the ISMS. We are a software consulting company, we have our own products, but we also deliver development services to customers. I want to express that software that we develop and manage (SaaS) on our own terms (our own products) fall within the scope of the ISMS. When we work for customers, we want to follow whatever guidelines our customer asks for. In addition to the software development services themselves, the overall IT infrastructure and security of all departments (backups, password rules, network security, anti-virus rules, ...) by our personnel should in general fall within the scope of our ISMS. I wrote down the scope as below, but I wonder if the last bullet point is not too broad, pulling *all* general processes within the scope of the ISMS (e.g. company car policy?). What's your opinion on the definition of the scope of our ISMS as stated below? Any suggestions to get closer to what I described above?

    The following processes and services are included:

    The software development life cycle processes of *** software products.
    The operational processes of *** SAAS products including SAAS products hosted in the cloud.
    Software development services delivered to third parties, insofar contractual agreements contain Secure software development life cycle requirements (SDLC).
    System administration services delivered to third parties, insofar contractual agreements contain ISMS requirements.
    Internal general processes, and operations (e.g., HR, Finance, Accounting, Sales, ...).

  • Security Awareness Training

    We received this question:

    Hi Dejan, I was wondering if you or anyone from your team of experts could answer this question for security training and awareness for ISO 27001. I have come across a really good site for security training for staff. The free course can be used for employees. Only downside is there is a quiz at the end but it does not give a score, only competed status.

    Can this be used as a measurement for ISO 27001 compliance for awareness. How do we prove to the auditor if there are no scores. We can always ask staff to send us a screenshot for completing the course. Is this enough? Or does the standard require an actual score for the quiz/training.

    Once again thank you so much to you and your team.

  • Risk assessment treatment

    I have a problem with the RAT. Why are some of the controls listed on the Controls tab of the Risk Treatment Table in the video tutorial (How to implement risk assessment according to ISO 27001) different to those in the live document? For example, A7.1.2 in the video is 'Ownership of Assets' and in the live doc it is 'Terms & Conditions of Employment' ... and there are many more examples. Please explain

  • Pen-test

    I have one question. Is a pen-test from a third party required for getting the ISO-certification?

  • ISO 27001 implementation

    I am making steady progress on our ISO27001 project using the Advisera toolkit, support & guidance.

    I have completed the 4 implementation phases (Mgmt support, Prepare project, Identify requirements & design Scope, Mgmt intention & responsibilities)  and about to enter the perform risk management stage.

    With regards to the risk management phase, we have a mandatory requirement to comply with ISO27005.

    Need Advisera feedback if the toolkit for ISO27001 purchased by us will help comply with ISO27005 as well.

  • Transferring Risk using Insurance

    Hi Dejan,

    As discussed with you during my meeting with you, I have 2 non-conformities for my ISO 27001 audit. One of them was A.15.2 - Supplier Relationship. We failed on A15.2.1 - Auditor notes "No evidence of monitoring and review of supplier services."

    I read your blog on risk mitigation - https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/

    My question for you is that we have Insurance. Can we transfer the risk of A15.2 using the insurance? Please let me know.
Page 96 of 544 pages