Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Controls for Acceptable Use Policy and awareness
Are the controls for Acceptable Use Policy a guide in creating security awareness workshops for staff?
-
ISO 27001 certification coverage
We are a global company with branch offices up to 27 countries and soon to be more. That being said, if our office gets ISO 27001 certified, will the other branch office be certified and/or have the ability to say they are ISO 27001 certified?
-
Information security requirements
Can you help me with this query: What information security requirements should be included in contracts with suppliers?
-
ISO 27001 implementation
Can I implement ISO 27001 as a stand-alone system or should I also implement ISO 9001
-
Inventory of assets
Is it necessary to have a policy/procedure for asset management/inventory or is it enough to have the records showing the asset and the owners?
-
Certification of IT Service Provider
Can an IT Service Provider get certified for ISO 27001 done out at client locations
-
Classification policy
In the policy:
Steps and responsibilities for information management are the following:
Step name
1. Entering the information asset in the Inventory of Assets
2. Classification of information
3. Information labeling
4. Information handlingIf classified information is received from outside the organization, [role] is responsible for its classification in accordance with the rules prescribed in this Policy, and this person becomes the owner of such an information asset.
We receive data files very often, are we required to enter each and every one of them into the inventory of assets? That sounds onerous from our perspective, and that inventory would be extremely long and a burden to keep up to date. Is it permissible to instead include a description of the data/file type that we receive ?
-
Risk owner
1. I'm trying to find out who the risk owner would be for a technical risk (one of the nine from the STEEPCOIL)
2. With regards to the risk categories, do you know which one a power surge or a loss of power would fall under?
-
Appendix_1_Risk_Assessment_Table - vs. - A.8.1_Inventory_of_Assets
I have a question regarding asset list/inventory. We are creating the list of assets for the Risk Assessment and Risk Treatment process. Once that list is complete and we come up with threats and vulnerabilities for each, is there any need for a separate list of assets as in A.8.1 Inventory of Assets?
I know that you have stated that "assets are not only the information in electronic and paper form, but also software, hardware, services, people, facilities, and everything else that provides value to an organization.", so I have a question on that as well:
Our company is using a consulting group that has an online tool for managing all records and policies, but it seems to define assets stictly as devices. Also, risks are listed separately and are linked only to "category type" not to a specific detail asset. -
BCP and DR: ISO 22301
I am an Information Security Officer in a retail industry company with hypermarkets and malls in ***. My company is in retail industry and our core business is providing and selling goods to our customers in these hypermarkets through Point of Sales terminals. We are also doing online E-Commerce through our website.Our company has different department like
1) HR
2) Finance
3) IT
4) Facility Management
5) Admin
6) Operation
7) legal
I am implementing ISO 22301 and I need to do the scoping of the BCMS. Can you please advise me on how I should perform these tasks? What are the things that I should consider while scoping and what departments should I include in the scope of BCMS?