Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 Clause 9.2
for ISO 27001, clause 9.2, do you need an internal audit function or can it be named something else? such as risk review? My organization does external financial audits but a client is asking for us to assist with their "internal audit" function of 9.2. However we cannot do internal audits only risk reviews. -
Framework question
One question to your framework. I have got a long agenda for the certification meeting. This is just a part of it: Top management • Organizational context and needs and expectations of interested parties (4.1, 4.2) • Strategic direction, policies (5.2) & objectives (6.2) • Involvement and commitment from top management with respect to the management system (5.1) • Roles, responsibilities, and authorities (5.3) • Provision of resources (7.1) • Human resource security (A7) • Communications (internal/external) (7.4) • Continual improvement (10.2) • Performance evaluation (9.1) • Management review (9.3) I have documented all the Annex A, but where is all the requirement like 4.1, 4.2 documented in your framework? -
How to record external issues (not legal or contractual) in Conformio
In the Conformio ‘Register of requirements’ it is possible to add requirements of types ‘Contractual Agreement’ or ‘Legal/regulatory requirement’, but not any other external/internal issues as stated in ISO 27001. Our organization for example has an office in Ukraine and we would like to add an availability requirement regarding the people and company infrastructure there. How should we record that requirement in Conformio? -
Approving Residual Risk in Conformio
Can you please advise if we should click the "Approve Residual Risk" during the final(Approval) phase of filling up the Risk Register module, even if all the identified "Risk Treatment Controls" items are not yet in place or implemented? -
Risk assessment question
I need some information about 3rd party risk assessment. We are small business preparing for ISO27001. I need to know how to fill the questionnaire of the 3rd party risk assessment? I want to know how to use other registers which is mandatory in ISO 27001. In addition, I don’t know how to make the SOA. -
Establishment of the scope of the ISMS ISO 27001:2013
Good morning , Could you help me with a practical guide and/or examples to help me establish the scope of my Information Security Management System (ISMS) and comply with ISO 27001:2013. What considerations should I take into account to establish the scope of the ISMS? I give a context of My Organization: My Company has a Mixed Operations model: Employees in telecommuting mode and some employees in a Physical office and we occasionally rent a Coworking for meetings or for some group activities and/or meetings with clients. In the short term we will only have Telecommuting Employees and we will deliver the Physical Office All our application servers are in the cloud (we have a private cloud) we use Microsoft Office 365 and google gsuite, zoom. Employees from software development, designers, analysts and data scientists connect via VPN to the private cloud and each have a virtualized Windows 10 computer for their work. Salespeople do not connect via vpn to the private cloud, they only use web applications (Office 365, google gsuite, zoom, crm). The accounting area is connected by remote desktop to its own server in the private cloud of It is an RDP server (Remote Desktop server) They (commercial and administrative area) are assigned a company team. Developers, designers, analysts are normally allowed to work from their own personal computer but only to connect via vpn to the cloud. Very few have asked the company to assign them a team for telecommuting. We have a task that weekly downloads the backups of our main virtual servers and the virtual teams of the developers that are in the cloud to a storage server that is in our physical office. Our servers are in a datacenter that has ISO 27001:2013 certification In the physical office we have 4 servers but they are only for backup storage and for tests. -
Management of change
Ηello, How are you? Ι have bought ISO 22301:2019 kit Recently I had an observation, during the external audit for certification: “ISO22301 6.2.3 Not all recognized criteria for the implementation of the Change Management Process for the ISO22301 standard have been recorded.” Where in the ISO 22301 kit can I find information or a procedure for Change Management, to close the observation in order not to become non-conformity; Thank you in advance -
Risk Register question
On the other hand, and still in reference to the Risk Register, we question if it is reasonable to consider the 'vulnerability' weak password in the Asset-Human Resources (top management, employees, etc.), rather than in the more obvious Asset-IT and communication equipment (desktop computers, mobile devices, etc.)? This, in the sense that our people set their passwords, are expected to comply with the password construction guidelines/Password Policy; and at the end, it can be through their following of the rules that this can be assessed. We are not certain if this approach makes sense, is viable. -
Inquiry about the following ISO27001 controls
Background: No of employees: ~ *** employees Scope for ISO certification (*** sites): Site A: 5 employees, CxO, few tech people, with Physical office shared with *** parent company Site B: ~ 35 employees, Operations (Developers, cybersecurity, Cloud support) , no physical office (***). Working environment: 80% of the time site 1 personnel are working remotely, while site 2 employees are 100% working remotely. Can you please provide some guidelines on the following scenarios? 1. Physical office security for site 1: Given the scenario above, is it possible to treat the site 1 office as out-of-scope? The existing security controls of the office does not fully conform with the standard and our personnel cannot make major change in the office security since they are only sitting with our Parent company’s office. In terms of risk associated with the physical security, we assess that it is minimal since most of the time, our personnel are working remotely (80% of the time) anyway. The security will be enhanced on the personnel itself (awareness), their system accesses (policy, access rights and reviews, the likes), and in their user laptops (endpoint security such as anti-malware, DLP agent). 2. In site 2, our HR, Recruitment, and IT (laptop, user peripherals, purchasing of these equipment) service are provided by our Parent company (shared among some of its subsidiary companies). Are they still considered as supplier of the services and will be required by the standard to comply with the applicable 3rd party controls (NDA, contracts, etc.)? We do not have such contract established with our parent company. The personnel of the aforementioned teams only access “internal” classified data such as employee info, payroll, and the likes. -
how close treatments
how do you close risk treatments