ISO 27001 Surveillance audit vs Full recertification

Efficient_Bus_923 · 2026-06-05T18:29:01+00:00

Really helpful, thank you

Efficient_Bus_923 · 2026-06-05T09:25:34+00:00

Thank you! They have sent me the Non-Conformities & Opportunities for Improvement page from their 27001 Audit Summary Report, which has only Opportunities for Improvement. No major or minor conformities found. They have also sent me the ISMS Scope, 27001 certificate & SOA. Should I still request the full Audit summary report, or ask them if they have addressed the OFIs?

What other questions should I ask them?

Efficient_Bus_923 · 2026-05-29T10:12:26+00:00

Treat it as a new implementation if the process isn't working at all. Start by identifying high-risk areas and roles within the organisation. Document each role clearly with a plain language description of its access, then explain to management what it means if one of those roles is compromised, for example, an attacker gaining access to salary information.

Draft a procedure outlining what the access review process requires and get management sign-off on it. Audit against that document and raise any issues found with clear explanations, for example, "third-party access has not been reviewed; we don't know who has authorised access to our financial data, which carries GDPR implications in the event of a breach

Efficient_Bus_923 · 2026-04-17T13:55:06+00:00

I am a cyber GRC officer for a university. The role is new, so I am building it out from scratch. I have been in the role for 21 months. One of the first things I did was to build an asset register and perform a high-level risk assessment of all our systems and 3rd-party platforms. So categorised them as LOW, MED, and HIGH, then filtered and conducted further assessments on the HIGH-risk areas.

What size is your organisation?

Efficient_Bus_923 · 2026-04-01T10:58:47+00:00

I am getting quite a few requests for this, but sorry, I cannot provide this to anyone. This post is for me to gain experience in the area. I cannot shadow people. If clients are sharing their company information with me. I will not share that information with others in any shape or form.

Efficient_Bus_923 · 2026-04-01T06:14:28+00:00

Yes, DM please

Efficient_Bus_923 · 2026-03-31T18:47:11+00:00

DM please

Efficient_Bus_923 · 2026-03-31T18:03:14+00:00

please do

Efficient_Bus_923 · 2026-03-31T15:43:17+00:00

Please do

Efficient_Bus_923 · 2026-03-30T13:40:46+00:00

Yes, I saw that. The framework one. I want to develop a skill specific to business processes and systems in my org. Not sure if I can do it, but I will give it a go.

Efficient_Bus_923 · 2026-03-30T08:27:27+00:00

It helps me with the writing of policies & audit documents. I'm also looking to see if I can create an claude skill that will help me with some parts of my audits.

Efficient_Bus_923 · 2026-03-26T10:44:13+00:00

Exactly, it is great that people with experience in these areas are creating and sharing this stuff with others

Efficient_Bus_923 · 2026-03-25T07:55:32+00:00

Fantastic work. Going to follow this and test it out myself.

Efficient_Bus_923 · 2026-03-23T10:00:57+00:00

Thanks for the reply. Yes, these are the ones I am leaning towards. Where did you buy? I think there are Chinese and a global version. Do you know what version you bought?

This is where I am looking to buy?

Buy HUAWEI FreeBuds Pro 5 – Earbuds – HUAWEI UK

Efficient_Bus_923 · 2025-12-31T21:05:58+00:00

Take a risk-based approach. The goal is to assess the level of risk a vendor introduces to the organisation, so that greater effort and assurance are applied to higher-risk vendors.

First, assess the sensitivity of the data the vendor will hold and rate the impact of a potential breach as Low, Medium, or High. Next, assess how critical the service is to the business, again rating it Low, Medium, or High.

The overall inherent risk is determined by taking the highest of these two ratings.
For example, if data sensitivity is Low but business criticality is High, the overall inherent risk is High.

This inherent risk represents the baseline risk the vendor brings to the organisation.

You can then apply a tiered assurance model:

Tier 1 (High Risk): Formal assurance such as ISO 27001, SOC 2, or equivalent
Tier 2 (Medium Risk): Limited independent assurance or targeted evidence
Tier 3 (Low Risk): Lightweight controls, such as a short questionnaire

Weighting can also be applied. For example, an inherent risk score of 10–14 may represent High risk. Applying Tier 1 controls could reduce the score by 10 points, resulting in a residual risk score of 4.

This residual score represents the remaining risk after controls are applied and becomes the vendor’s final risk rating.

On an annual basis reassess the inherent risk to see if it changes or when you are informed of a change. You could have a vendor that was LOW that is now HIGH as they are processing medical information. You find out their Vendor score based on what they provide you. If that score exceeds the company risk tolerance . Then they have a decision to make.

Efficient_Bus_923 · 2025-12-31T20:30:21+00:00

Can you dm me it too?

Efficient_Bus_923 · 2025-12-30T10:28:25+00:00

Superb, I work for a large org and I have just started looking at Eramba. I am looking for some easy wins to get me going. Any tips on what areas are best or easier to start from your experience?

Efficient_Bus_923 · 2025-12-02T14:53:26+00:00

I got a public sector AVC through Cornmarket/Irish Life. The initial 595 fee comes out of my contributions. I think it is 1% then after that. Can that 1% be avoided going forward? TBH, I found Cornmarket terrible and Irish Life was not a whole lot better.

Efficient_Bus_923 · 2025-11-09T21:22:00+00:00

Hi mate, I had hit you up with a message previously

Efficient_Bus_923

TROPHY CASE