6 - In the Demonstration Kit, in the ANNEX A folder, we did not find any demonstration documents that deal with item A.18, is this item disseminated in other documents?
Hello,
Here are some questions. Not the ten from this month. I hope it is ok to send them in several batches.
Thank you very much in advance for your help!
Questions:
03- Scope template:
1.1. Processes and services [Specify the services and/or business processes which are included in the scope]
Q1- Must this include a list of all programs, sharepoints, SaS, etc? or is just a high-level description like "aplications developped"?
02 - Procedure for requirements identification for interested parties
Q2 -Shall we detail all contractual requirements,one by one, or only those that could impact information Security? Do they need to be listed for each customer or can they be grouped? for example, if there is a legal requirement about time retention, can we just assign different contracts/customers to this requirement, or better list customer by customer even if the requirement is the same? We dont know how detailed this must be.
Assets and controls
Q3 - People can be assets (eg the IT Admin), How many of the employees is recommended to include in the assets? All our employees or just the ones in key positions
Q4 - Assets and Controls: We are considering selecting around 150 assets, 110 of them applications or with some technical dependencies. This results on a lot of controls that apply to each asset. So far, we have this information in excel sheets. One per each asset, with all the pertinent control. How do you suggest managing this amount of information? Is there any tool, besides excel, that could help managing all this information? For the auditing process, do we need to maintain this excel sheets/information? We haven't see any reference in the mandatory requirements, only those to risk assesment, SoA,etc.
How can ISO 22301 certification give a 'marketing edge' to an organization? (similar to ISO 9001 in the 1990s)
I will look forward to hearing from the expert.
In the example above in the screenshot I have given the consequence score of because of the existing controls. But should I be putting in the score prior to consideration of controls, which would be a' and then putting the lower Risk score into the Risk Treatment Table after consideration of the controls, even though they are already in place?
1 – In the RAT, presumably I do not list risks that are already mitigated?
2 – Is it possible to see an example of a real and completed RAT, preferably for a SaaS business?
I also have questions about risk assessment. I am asking for guidance in relation to the following questions:
1. The risk assessment methodology document is the same for 22301 and 27001? There is no direct reference to ISO 22301 in the sample document, only ISO27001. Is it appropriate in case I'm not only implementing 27001? Let’s suppose I implement ISO 22301 or possibly ISO 22301 + 27001 simultaneously.
2. Do I understand correctly that risk assessment should cover all business processes / activities involved in the business continuity management system?
If there is requirement for iso27001 for ecommerce company, but the company who own the business and who run the ecommerce is different company, who need to take iso 27001 ?
Actualmente ya estamos certificados en ISO 27001 y nos gustaría saber cuales son los siguientes pasos para poder mantener la certificación
We are currently certified in ISO 27001 and we would like to know what the next steps are to be able to maintain the certification
In the process of writing an ISMS Scope Statement. Can you please review and provide feedback if this will work for a Scope Statement or should I add or take away any words from the below statement. Appreciate your comments! Thank you!
We are a clean and wastewater critical infrastructure business. Consulting and designing clean and wastewater facilities is our core business. It is therefore our responsibility to establish a strong information security management and governance system to protect processes, services, data and assets of our business, employees, clients, contractors, vendor in relation to confidentiality, integrity, and availability.
We're working with the documents and the process goes well overall.
I do have a question on defining the scope of the ISMS. We are a software consulting company, we have our own products, but we also deliver development services to customers. I want to express that software that we develop and manage (SaaS) on our own terms (our own products) fall within the scope of the ISMS. When we work for customers, we want to follow whatever guidelines our customer asks for. In addition to the software development services themselves, the overall IT infrastructure and security of all departments (backups, password rules, network security, anti-virus rules, ...) by our personnel should in general fall within the scope of our ISMS. I wrote down the scope as below, but I wonder if the last bullet point is not too broad, pulling *all* general processes within the scope of the ISMS (e.g. company car policy?). What's your opinion on the definition of the scope of our ISMS as stated below? Any suggestions to get closer to what I described above?
The following processes and services are included:
The software development life cycle processes of *** software products.
The operational processes of *** SAAS products including SAAS products hosted in the cloud.
Software development services delivered to third parties, insofar contractual agreements contain Secure software development life cycle requirements (SDLC).
System administration services delivered to third parties, insofar contractual agreements contain ISMS requirements.
Internal general processes, and operations (e.g., HR, Finance, Accounting, Sales, ...).
