Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Not Applicable Controls for SAAS Environment
I'm trying to figure out if certain controls should be listed as Not Applicable on an SOA for an organization that doesn't really manage their network in-depth as their users really just log into cloud-based services such as SharePoint & OneDrive remotely from home. To be clear, they do not have a need for anyone like a network engineer especially as they do not do anything like push patches to a production environment & simply do their due diligence on third-parties like Microsoft to make sure they are secure enough to communicate sensitive information. My question is whether the following should be Not Applicable:
A.11.1.1 - A.11.2.5: They seem to all be controls that would only be relevant in a physical environment where people would come in regularly & not one where there is not even a single office.
A.13.1.3: I'm not sure how segregated the network the standard wants for one that doesn't even require a network tech. I would consider sensitive folders being limited to specific privileged users, for example, being enough to satisfy this control for this context.
A.14.1.2 - A.14.1.3: I actually think both of these should be Applicable, but want to make sure. If users are allowed to connect from public networks & securely send sensitive emails, I think it makes sense to include them in the SOA. Confirmation from someone else here would be appreciated.
These are the controls I wanted to clarify the most. I'm sorry if I could've written this all out a little clearer & if these questions have already been answered. I tried searching for a list of controls that would normally be Not Applicable for a typical work from home company that doesn't really own any of their servers, but came up short. If there is already a good filtered list someone already has of typical Not Applicable controls for a SAAS environment like this that would be immensely appreciated. Thank you in advance, this community's always so helpful!
-
Record Control Table and Approved Supplier List
Do we have to keep a record control table and approved supplier lists? Please advise.
-
Specific Documents
Hi team, I am sending this message to ask you which documents will be for clauses 4.1, 5.1, 6.1.1, 6.1.2, and 9.1.? I have done all the documents provided by Conformio but I can't find the documents above. Please support me on this issue.
-
A.8.2.2 Labeling of Information
Thank you for the meeting we had last Friday. As discussed, “A.8.2.2 Labeling of Information“ is not applicable for us while “ and I deactivated the control in SOA. However, in the following steps I see there is the “information Classification Document” which requires a responsible person and also defining the labels in 3.2.2 (Confidentiality levels – see the below table).
I’m wondering if there is a way to remove Labeling in this case or is it enough manually we have put Not Applicable (N/A). Or if we have A.8.2.1 then is mandatory to have A.8.2.2 as well?
-
ISO 27001 vs COBIT
ISO has certification for Organizations such as ISO 27001, do the COBIT is competitor and also have certification for Organizations like ISO?
-
ISO 27001 single templates
Thanks for your mail - I actually noted afterwards that I was able to view the docs.
Can you please assist with which template is the correct one? To cover the following according to the SABS standard document:
Clause 4.1.
4.1 - External and Internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome/s of its information security management system
And
Clause 4.3
Determining the scope of the information security systemIf you can guide me in the right direction - I will purchase the single documents as I go along.
-
Documentation request
We got a peculiar request from a customer. Although we are ISO27001 certified a customer is insisting that we provide a full list, the following documents.
It is the first time we are asked of this, and I was curious if you came across it in the past and have any ideas on how to proceed.
Thank you
· Context of Organisation
· ISMS Scope
· ISMG Governance
· External & Internal Issues and Interested Parties
· Risk Assessment and Treatment Methodology
· ISMS Risk Assessment: Asset Register and Risk Treatment Plan
· Information Security Policy
· Training Matrix
· ISO 27001 Training & Awareness Schedule
· Information Classification and Handling Policy
· Monitoring and Logging Policy
· Corrective Action Register
· Access Control Policy
· Acceptable Use Policy
· Production of Software Policy
· IT Procurement and Third Party Security Policy
· Incident management policy
· Intellectual Property Policy
-
Clause 4.1 in Conformio
How to satisfy ISO 27001 standard clause 4.1 in Conformio? Please advise.
-
Question on risk assessment
One thing that I cannot understand is why we do need to maintain 2 separate documents, 1 for Risk assessment and 1 for Risk treatment. Let’s say, I have a Risk assessment excel spreadsheet containing 500 rows representing each risk which I maintain and keep updated accordingly (risk identification+ analysis + calculation is always completed).
Now I need to transfer all those 500 Risks to another excel spreadsheet to determine what are those appropriate controls that can put in place in order to treat risks respectively.
My question is whether I can have a merged/combined document to maintain including for both tasks. I have my Risk assessment excel document with all required columns (risk identification+ analysis + calculation, etc.), and what I need is to add another 5-6 extra columns required by the Risk treatment plan and have them all in one. Is this right?
-
ISO 27002
I purchased ISO 27001 TOOL KIT IMPLEMENTATION from your team last year and has been very useful.
Please ill like to get a professional advice. I am currently implementing ISMS FOR a client. using ISO 27001 FRAMEWORK. Now, is it advisable to use the new ISO 27002 CONTROLS released February 2022 or i Should stick to the older version.