Tag: "ISO 27001" - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Register of requirements: Granularity of entries

    Regarding the Conformio Register of requirements: I don't understand how granular the entries should be (recommended or required by the ISO27001:2022 standard). We have a lot of contracts with different customers but the contracts themselves have the same content. Should we create a new entry for every customer contract or would it be sufficient to create a general entry for all contracts with the same content? Or should we even create a new entry for every requirement of each contract of every customer?

  • CONTROLS A.18.2.1 AND A.18.2.2

    How to implement this control when the company is very small, that is, it has 6 employees? Critical analyzes are usually carried out by the entire company team. In this situation, would it always be necessary to hire a specialized external organization, as suggested by the ISO27002 standard?
  • ISO 27001 Beginner

    Hi, I currently work for a care company in the UK and I've been asked to research about ISO 27001 and how to apply it to the IT industry. I don't really know where to begin, and could use some help. I have been asked to do audits and risk assesments. What I'm asking for is a beginers guide here and someone to point me in the right direction for this. Any help is appriciated.
  • Service as a Scope?


    in the Scope Webinar it is said that software cannot be a scope, but a department can be.

    And what about a service? In our case, it is software support service, which we offer to our clients. Can it be the scope?

    Or in that case we have to formulate the scope as a department who performs the software support service?

    Thank you!

  • ISO/IEC 27001:2013 ISMS Document Implementation

    I need to write up a draft an ISMS document that meets the ISO 27001 requirement for an SME. Could someone please guide me on where I can find a template of one? Otherwise, can someone provide the headings that I should include in the document, please.

  • Compliance verification

    How do you verify compliance to regulatory requirements? It should be a scheduled audit or random verification of meeting criteria? Thank you for consideration.

  • Multi location certification

    I have implemented ISO27001 at a country level. The Global company was only an interested part as a shareholder. But now that has changed and they are wanting to manage the network at a global level.

    I don't know how to treat them in as part of this certification. Could you help with some advise on how to treat them?

  • Risk assessment and treatment report

    I have a clarification question regarding the risk assessment and treatment report. When is this report created in the process of the ISO 27001 project? Before or after implementation of the necessary controls?

    In the draft document it states that «The risk treatment was done from XX to XX.» (Risikobehandlung wurde im Zeitraum von [Tag/Monat/Jahr] bis [Tag/Monat/Jahr] durchgeführt.) Does this include that the controls are in place, or does this mean that the treatment plan etc. was created, but the controls do not have to be in place when writing the report?

    Also, it says in the draft document (Heading 3.5) that «after implementation of the controls the residual risks are re-evaluated» (nach der Anwendung der Maßnahmen wurden die Restrisiken bewertet). This implies that the report is done after the controls have been implemented as the process (on which is reported) would include the residual risk evaluation after the implementation of the controls.

  • Integrated implementation

    How can this standard be useful for implementing of other standards like ISO 27001, ISO 9001, AS 9100 etc.?

Page 1 of 2 pages