Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 / Conformio questions
1. How should we treat the risk assessment process? Should we consider all the risks within our company and go over a bit or should we be more conservative? For example, should we consider our CEO being on leave as a risk while doing the risk assessment? 2. In terms of SoA should we mark all the controls as applicable? How should we approach this? -
Role of CISO
Is CISO responsible for physical data/information on paper as well as the digital information? -
Security concepts
I am a PhD researcher and I am looking for useful security concepts for my research. I want to see which ISO framework do you think can be useful as a basis for finding useful security concepts. My research is to provide a framework that helps organizations identify security concepts at the governance and management levels. I am hesitating between ISO 27000 and ISO 27001 and ISO 27014. I would appreciate your help with this regards! -
Changes affecting the documents
I would like to know how these new controls affect our purchased toolkit (Cloud_EN)? Reference: https://info.advisera.com/27001academy/free-download/overview-of-new-security-controls-in-fdis-iso-27002 Should we include this new change in our implementation? -
New versions of ISO 27002 and 27001
Dear Team, first of all thanks a lot for your “Overview of new security controls in FDIS ISO 27002” – helps a lot to understand what is being changed. If we are currently in process of implementing ISO 27001, would you recommend to change our SoA according to the new version already? Thank you! -
ISO 27001 questions - Conformio/Toolkit
I have some questions about the ISMS scope document from the toolkit. We own the servers in a data center that is owned by a third party, so what does it mean that the provider has control? Our customers purchase our service as SAAS but we on our side have suppliers who provide us the data center. These are the services we offer. The question is - does this mean that the provider who has control is the customer, us as the provider of the service or the third party service we use to rent the data center? How does this affect our risk matrix? We buy/rent our infrastructure so what asset should we include in the risk matrix? What I understand is that we should mark ourselves as number 2 in this table. Am I correct? In that case, should we include the Datacenter as an asset of our organization or not, since this is something we rent? In that case this asset should not be included, is that correct? Should we also include storage media as an asset, considering the scope of our business? When thinking about assets "Internally developed software" and "servers"- should we consider all different products we are providing and servers we are using as separate assets, or can we write just general "Servers" or "Internally developed software" and that is enough? When thinking about "Operating system" as an asset - does this refer to the operating systems we use in our organization where we are running the server or does it refer to the operating systems our customers are using when downloading and using our service? -
ISO 27001 Expert question
The company is not planning to get certified but IS is supposed to be compliant with the European NIS directive. Experts of that directive are all recommanding ISO 27001/22301 standard. So I’m trying to respect ISO standards best practices in all my projects now. I’m a little bit lost with document management for the moment. For the moment I’m just wishing to know : Is « System Management & processes » the good classification way for documents when wanting to respect ISO 27001 ? If the answer to question number 1 is « yes » then how to deal with documents like policy that are used by multiple SM & processes. I’ve seen in Sharepoint tuto proposed by ISO 9001 experts that they we were using metadata for document indexing. Does that mean that policies should be attached to multiple SM & processes at metadata level ? If answer to question number 2 is « Yes » then is there best practices in ISO 27001 about document organization apart classification. In the IS0 2001 Sharepoint tuto the experts were saying that there were no obligation regarding organization of documents and that they can be stored with or without hierarchy. But regarding access rights I suppose it can change things a lot. Is there something detailed about access rights to documentation in ISO 27001 ? -
ISO 27001 - exclusion of personal devices in the ISMS scope
In the ISMS scope document, I initially removed the usage of personal devices for the business (like using our own phones to access emails) from the ISMS scope. But finally, I wonder whether this is a good idea, and if we do not take the risk an external auditor would argue that using personal devices is a high risk for the company. What would you suggest ? -
Presenting changes on internal and external issues after a merger
Do you know how to present the changes on internal and external issues after a merger? -
Scope question
Our scope will be the whole company (***, about 30 people). This company has an affiliated company (100%) called ***. All employees are employed by *** and some of them also work for ***. The scope should include both companies. Is this automatically included or may I name both companies in the scope statement?