Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk assessment and treatment report
I have a clarification question regarding the risk assessment and treatment report. When is this report created in the process of the ISO 27001 project? Before or after implementation of the necessary controls?
In the draft document it states that «The risk treatment was done from XX to XX.» (Risikobehandlung wurde im Zeitraum von [Tag/Monat/Jahr] bis [Tag/Monat/Jahr] durchgeführt.) Does this include that the controls are in place, or does this mean that the treatment plan etc. was created, but the controls do not have to be in place when writing the report?
Also, it says in the draft document (Heading 3.5) that «after implementation of the controls the residual risks are re-evaluated» (nach der Anwendung der Maßnahmen wurden die Restrisiken bewertet). This implies that the report is done after the controls have been implemented as the process (on which is reported) would include the residual risk evaluation after the implementation of the controls.
-
Integrated implementation
How can this standard be useful for implementing of other standards like ISO 27001, ISO 9001, AS 9100 etc.?
-
Compliance verification
How do you verify compliance to regulatory requirements? It should be a scheduled audit or random verification of meeting criteria? Thank you for consideration.
-
Toolkit choice
1. Que paquete debemos comprar, si solo uno de nuestros cliente nos esta solicitando que estemos certificados en ISO 27000, porque tienen acceso a un SaaS de IBM que nosotros les vendimos. 2. Una vez comprado, en cuanto tiempo acorde a su experiencia, podemos obtener la certificación para este propósito. -
Valuating criteria through formula for BIA
Hola, me gustaría saber lo siguiente: Si se explica la obtención de los valores de los diferentes criterios: Financiero, regulatorio, at. cliente, a través de una fórmula. -
Creating risks list
Oye tengo una gran duda con unos templates que compre con ustedes para Risk Assessment, en los videos no muestran como crear la lista de Riesgos. Solo indica que primero hay que identificar los Activos, a través de las amenazas y vulnerabilidades pero no veo ningún template que muestre el resultado final después de haber identificado los Riesgos, estoy confundido. Me puede ayudar?
(Hey, I have a big question with some templates that I bought with you for Risk Assessment, in the videos they don't show how to create the list of Risks. It only indicates that the Assets must first be identified, through threats and vulnerabilities but I don't see any template that shows the final result after having identified the Risks, I am confused. Can you help me?)
-
Internal audit questions
Buenos días, haré mis primeras consultas como parte de la compra del paquete de implementación de la ISO 271001, y mis consultas son las siguientes:
En un informe de Auditoría Interna ISO 27001 es posible detallar las conformidades como Mayores y Menores o solo como No Conformidades? ya que si tomo la Directriz de la ISO 19001 no la sub divide como mayor y menor, simplemente como solo No Conformidad.
Si bien es cierto un Informe de Auditoría Interna, detalla los Hallazgos (No conformidades) y observaciones, que pasaría sí en la organización auditada es todo CONFORMIDAD?, Es posible que en el Informe de Auditoría Interna mencione cuantas CONFORMIDADES encontré?
-
Template content about spam e-mail
Form the IT Security Policy 3.14: Should a user receive a spam e-mail, he / she must inform [job title].) This may be something to think about for (specific) phishing mails, but is certainly not suitable for spam, here 98% of all email is spam and once in a while one gets through the filters. -
Evidencing requirements
I have the next question. A customer of ours participates in a government tender. He must therefore demonstrate that he meets a number of requirements of the ISO 27001 standard. In total it concerns 200 requirements.