Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Question ISO 27001 implementation
I follow Advisera articles and Foundation Course now to learn about the implementation of ISO 27001. Thanks to all for this sharing. I want to ask you something if you could answer I will be pleased. I started to make an internship in a company and I research the steps of implementation ISO27001. This company is a small company and it's a sister company of another company. Bigger company and this company work in the same buildings right now, it even continues as an extension of the big company. Most of their assets are the same, their product and the employees are different. If this small company wants to get a certification, it is possible, right? The small firm wants to get certified In this case, I am confused about how ISO processes can be applied. Because every written procedure policy also affects the members of the other company. Awareness training will have to be given to them as well, and the management of the other firm will have to agree with it. In this case, should these two companies get ISO 27001 certificate together? Or can only this small firm get this certificate? Or should the two companies separate everything thoroughly before the certificate? Could you help about this point? -
Does ISO 19011:2018 align or integrate with ISO 27001?
Does ISO 19011:2018 align or integrate with ISO 27001 and if so how? -
Infosec procedures
I am looking for two procedures: Vulnerability Management and cryptographic / encryption key management. Vulnerability procedure on how many scan are necessary for each classification asset (critical, medium, etc), necessary work to do, documentation process, etc. Cryptographic on how to protect keys, private keys, emergency access to keys, encryption methods, code signing certificate, etc Baseline: ISO 27002 - 10.1.2 OWASP: Key Management Cheat Sheet (key life cycle management (generation, distribution, destruction) ; key compromise, recovery and zeroization ; key storage and key agreement) -
Quantity of risks
Good day Dejan, I hope things are going well in your part of the world? We at *** are slowly working on our ISO27001 accreditation and would appreciate some guidance from you please. How does the attached Risk Table look for a small IT services company with ~15x people? When we spoke last, you suggested that we do the certification for our whole business as opposed to just our SOC portion, so I’ve considered elements from our offices, hosted customer environment and our new SOC. I’ve used ~50x of your standard assets, combined with your standard Threats and Vulnerabilities, and have come up with ~200x Risks. ~15% of these will need further attention later in the process based on their risk score. Are these risks and numbers appropriate, or do we need more / less / different? I don’t want to get too far ahead if this stage still needs more work. We still need to share it with our technical people who could very well raise some additional assets and associated threats, vulnerabilities and risks. I also don’t want to add too many risks if they are effectively trivial, but also want to demonstrate to an auditor later that we have applied our mind to the task. Would you be available for some feedback by email and/or online meeting in the next 2-3x weeks? 7x hours time difference to Perth so probably 9am your end / 4pm our end will work. Look forward to hearing from you. -
ISMS metrics related to Scope
Dears, please, the scope of our Certification is purerly focused to Product development data security. Have you got any tip or examples of PD relevant ISMS metric/s? Of course without specific data, like names or values. Just to have as inspiration for us. Thank you in advance... -
ISMS metrics, from Product development perspective
Can you provide guidance or recommendations how to develop ISMS metrics, from Product development perspective? -
Acceptance of ISO 27001 Lead Auditor certification in Europe and US
What is the acceptance of ISO 27001 Lead Auditor certification in Europe and the US? Is there specific legal basis in European Union, if yes, what is the name of the legal act, article number as legal basis. For me it is very important, for example, if I undergo training in your company and pass the exam, will it be respected in Europe and how? What and if there are legal barriers to accepting the ISO 27001 Lead Auditor certification? I will ask for a concrete answer in order to better decide whether it is worthwhile to take the course with you and the exam in the above-mentioned scope. -
Business Continuity Management
Could you please help me with Business Impact analysis for Business Continuity Management Annex A.17 in ISMS. As per ISMS requirements we have updated the Business Continuity and Disaster Plan as below Planned alternate site is 10 kilometers away from the primary site. There is no server hardware and internet service available at the moment. Critical Business Processes (based on Business Impact Analysis) mentioned Recovery Time Objective as 24 hours for internet service . Would like to understand how to define this. How to arrive that hours? -
Amendments to ISO 27001 Toolkit
Happy to announce my success in passing the ISO 27001 Lead Auditor Exam. Now that I have had time to revert back to creation of the 27001 Tool, I realise that the Changes referred to in the 2022 versions of both 27001 and 27002 may impact documents such as the SoA, applicable controls etc. Please be so kind as to advise whether the Tool will be upgraded to align with the changes, and if so what are the financial implications to me so that I may be assured my Tool is current