Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Best method of internal audit checklist
I have question concerning creating the best method of internal audit checklist. Is it open or close ended question given that your sample in advisera.com used was close ended question while your modules addressed using open ended questions.
-
ISO 27001Toolkit
We are tasked to establish a document on Web Application Vulnerability Assessment on public facing websites as part of web application management. With reference to the toolkit we purchased, may we know what is the most similar document that we can use as a reference. The current process we have as follows: 1. Information Security Manager conducts the web application vulnerability assessment on all public facing websites. 2. The business owner(s) who owns the websites may nominate the web masters who will maintain and manage the updates/upgrades and remediation of all application related issues. 3. Vulnerability scan report will be given to the Bu(s) and web masters (developers) by Information Security Manager. 4. Vulnerabilities will be addressed by web masters (developers) with reference to the Detailed Scan Report. 5. Re-scanning of the website will be conducted to check and verify mitigation made. -
Using CVSS as Risk Management Methodology for ISO 27001
Is it possible to use CVSS as Risk Assessment Methodology and still be compliant with ISO 27001? How do we map LIKELIHOOD and IMPACT using CVSS? Thanks. -
ISO 27001 - Microsoft Office
Is there any incompatibility between using Microsoft Office and applying for ISO 27001 certification? Thank you very much in advance for your attention! -
Becoming ISO 27001 lead auditor
I’ve recently passed ISO 27K1 foundation exam. Now planning for ISO 27K1 lead auditor course and exam. I’ve query regarding it. After I pass the exam ISO 27K1 lead auditor from Advisera, then am I able to audit companies for ISO certification and provide certification? So, I was checking PCEB exam too, but Criteria seems different then Advisera. Please advice. -
Conformio and Annex A controls
I have a client who signed a contract with a big company some time ago and this client was part of a big *** advertising group and benefited from all the resources of the group, but now he has become independent and has to implement the requirements defined in the contract in order to comply with the contract he signed before. Therefore, he asked me to implement the requirements of the contract as a priority. Here are the security policies and article that I need to put in place first. I don't know if they can be handled separately or should I follow the step by step procedure. Let me know if you need more information. Policies to be put in place : Data backup policy Business Continuity Planning Policy External parties policy Data classification policy Security patch management policy Cryptographic standard Access Control Policy Remote Access Control Policy Physical and Environmental Security Policy Security and Privacy Incident Response Policy Articles: A.12.2.1, A.15.1.1, A.15.1.2, A.16.1.1, A.16.1.2, A.16.1.3, A.16.1.5, A.17.1.1, A.17.1.2, A.17.1.3, A.18.2.1, A.7.1.2, A.7.2.1, A.7.2.2, A.7.2.3 -
Mapping of requirements on controls
Here’s another question about the mapping of requirements on controls. We have a customer requirements that relates to regular reporting on the effectiveness of the ISMS. I think it would be appropriate to map these on controls A.18.2.*. From the mapping document this does not seem to be the possible. There is no corresponding ‘Compliance’ are that can be selected. Actually, A.18.* controls are absent from the mapping altogether, as is the case for A.7 Human resources controls. Should a compliance area not be selectable in the requirements register and should A.18.* not be mapped as a result of mapping onto this area? Or any other area? -
Performing Information security and POPIA compliance gap analysis
Good day Dejan, I have been going through your materials and I am about to purchase the ISO 27001 Documentation Toolkit English (with live expert support) Because I have the below message from a potential client. Hi, I have a client who would like us to submit a proposal to perform Information security and POPIA compliance gap analysis. The overall purpose of this analysis is to identify the level of compliance and potential gaps that might exist from an Information Security perspective when measured against ISO 27000, and Data Privacy as measured against POPIA. Deliverables 1. Report of Cyber Security Gaps along with the recommendations and a roadmap to resolve these gaps 2. Report of POPIA Compliance Gaps along with the recommendations and a roadmap to resolve these gaps 3. Presentation to the client of the findings of the Audit exercise 4. A penetration test report Response Requirements The following should be included in the response: • Approach • Specific Deliverables • High-level timelines What do you advise as to how to proceed with responding to the approach and specific deliverables? -
Question about GRC committee
I hope this email finds you well, I have a question , we will be creating a GRC committee, therefore, I need to know what first steps should be done with the committee as an information security officer. Also, what should be asked from the management representatives to do first and so on -
Asset inventory
When writing and preparing an asset inventory, should we write the name of risk owner/asset owner or the role?