Search results

Home / Search

Category:
Select
Select

11275 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Statement of Applicability/Annex A Documents

    Todd,

    To answer your question, I'll quote a paragraph from our ISMS Scope template: "The organization needs to define the boundaries of its ISMS in order to decide which information it wants to protect. Such information will need to be protected no matter whether it is additionally stored, processed or transferred in or out of the ISMS scope. The fact that some information is available outside of the scope doesn't mean the security measures won't apply to it – this only means that the responsibility for applying the security measures will be transferred to a third party who manages that information. "

    The point is - you need to require your suppliers and partners to protect your information - and you need to determine these requirements through the risk assessment.

  • List of legal regulatory and contractual requirements


    Answer: If you refer to ISO 27001, you should list all legal, regulatory and contractual requirements related to information security (e.g. personal data protection). But this has nothing to do with a function - laws and regulations are valid equally for your IT department and your business departments.

    See here list of laws and regulations worldwide: https://wiki.iso27001standard.com/index.php?title=Laws_and_***********************************************************

  • Risk identification

    Only up to a point, ISO 22301 is more strict on what must be documented.

    In these two articles you'll find everything that must be documented, everything else may be documented only if you make such a decision:
    - List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
    - Mandatory documents required by ISO 22301 https://advisera.com/27001academy/knowledgebase/mandatory-documents-required-by-iso-22301/

  • Steering committes for a smaller company


    Answer: Yes you can combine them in one document; actually ISO 27001 does not require any of these bodies so you can organize them any way you wish, or you can decide not to have such a body at all - smaller companies usually do not have such committees.

    Do we have to creat processes diagram such as internal audit process?

    Answer: No, you to not have to draw the diagrams because ISO 27001 does not require you do to so; the standard does require you to have a process for internal audit, and it is a best practice to write a procedure for it.

  • 7 2 2 labeling and handling

    Sure, our support will contact you shortly.

  • Criteria of IT company ISO certification


    I assume you are asking me about ISO 27001 certification. The basic criteria is to comply with all the requirements written in the ISO 27001. Since there are many requirements listed, you need to purchase this standard and read all of them.

    This article will also help you: Becoming ISO 27001 certified - How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/

    The criteria for certification is the same for all industries - IT, government, financial, manufacturing, etc.

  • General impacts

    If you marked the answer to the question "How difficult will it be to catch up on the backlog of work" as high impact after 4 hours, then this is where your MTPD is. Because if this wasn't that important, I assume you wouldn't mark it that high.

    If you consider the backlog of work completely irrelevant for your operations, than you can delete this question altogether - none of these questions are mandatory by ISO 27001 or ISO 22301.

  • RTO for IT System

    Thank you so much Dejan.

    Best Regards,
    Juliano

  • ISO training evidence


    Answer: There are no particular templates - you can show the auditor training certificates, or some other records showing that your employees have attended trainings.

    Could you also please let me know a part from implementation question, are they going to interviewed individually?

    Answer: I'm not sure if you refer here to employees in your company, but the certification auditor can speak to anyone in your company, and he can ask them any question to find out if they comply with the security rules.

  • Query pertinent to mapping controls of the revised standard to the old standard

    Vinay,

    ISO 27001 does not mention "implementation guidance" - are you perhaps referring to ISO 27002?

    In any case, ISO 27002 is irrelevant to certification auditors. For ISO 27001, you have to select only those controls where there are risks or where there are some other requirements (like legal or regulatory) which require you to implement particular control.

    To learn more about the risk assessment process and selecting the controls read this article: ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
Page 1113-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +