Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Setting up and passing the audit
As we have two entities, one in Site A operating under the supervision of the regulator and 2nd in Site B providing services for the Site A entity, a few things to clarify:
1 -Is the setup, documents, actions etc. enough for both entities, or I will have to prepare two different setups?
2 -Also do we have to pass an audit to certify both entities or only the regulated body is enough?
-
Outsourced development
I am struggling with the definition of outsourced development at the moment and seek advice.
My CTO’s view is that we do not have any outsourced development which , if true, would mean that we should be able to exclude A.14.2.7. But I am not really sure what I think. We have a small team of developers in another country (Poland) hired by a consultancy firm. We have a dedicated Team leader (hired by us) leading that team (operationally) and the developers in the team are otherwise handled as any other developer in our organisation. Most of them being consultants, the only thing that differ is that the team in Poland is hired by a third party. They follow the same processes, use the same information (located in the management system) and are monitored in the same way as all other developers in our organisation. They are a part of our internal communication with department meetings, company meetings, using our organisations MS Teams etc). They have the same access (depending on their role and their need) and are added in our people register as any other consultant. This is the reason to why we are saying at the moment that we don’t have Outsourced development. But is this enough? Or are we, just because we are using a third-party firm to supply these developers by fact having an outsourced development?
Really appreciate if you take time to read my question and any help to become a bit wiser in this =)
-
How would ISO 27001 help secure system from ransomware attack?
How would ISO-27001 help secure a system from a ransomware attack for example WannaCry?
-
Information security policy review
How do information security incidents impact information security policy (approved by Top Management)?
-
Residual Risk Question
The risk assessment and treatment plan output document includes only the risk rating before the measures to mitigate risks. The auditor would like to see the measures taken to mitigate risk and the residual risk level in the output document. This information is available in the software but not in the pdf created by Conformio.
Could you please add this information to the pdf document? -
What are the laws and regulations to be included in the ISO 27001 Register of Requirements?
I thought the ISO 27001 Register of Requirements should contain only laws and regulations on information and data security such as Personal Data Protection. I have seen examples of Companies Act, Employment Act, Taxation Act, etc. included in the Register. Why are these included as they do not relate directly to information security?
-
Questions about ISO certification
We have bought the “ISO 27001 documentation toolkit” and now we have some questions:
1. In the document “List_of_documents_ISO_27001_2013_Documentation_Toolkit_EN” there are check marks with asterisk: (e.g. #4): are they required at the ISO certification or can we decide if they concern us or not?2. The document “06_Statement_of_Applicability_27001_EN” has a list of the applicability of controls. How shall we decide which controls are important for us?
3. The head quarter and main company of ***, Inc. is in ***. We also have a subsidiary in ***, ***, and belonging 100% to ***. How do we have to proceed with the ISO certification? Is the *** certification enough for both companies? Do we need an extra chapter in the ISO certification for the *** subsidiary?
4. We need to set the confidentiality levels on all documents. Is the standard “for employee use only” for all documents good enough for certifier?
-
Questions ISO 27001
Good morning, is it possible to help me with the following Questions
1. Every information security policy must have at least one procedure associated with it.
2. Can security policies and procedures be written in the same document or should they be separate documents?
3. Should the strategic information security policies be in a separate document from the technical information security policies? or can they be in the same document?
4. What is the difference between Policies, standards and Procedures?
5. Should the person in charge of information security be independent from the area of information technology? Or can it be a person/Position that is part of the Information Technology area?
6. Can the technology leader also be responsible for information security?
7. Do you have any template (template) of how to write a strategic information security plan?
8. Can you send me examples of Major nonconformities and minor nonconformities?
9. Can the vulnerability tests of information assets be carried out by the same organization or must an external provider be contracted to carry them out?
10. Is an information security incident the Materialization of a security risk?
11. What is the difference between an information security event, an information security incident and an information security risk?