Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Query on Classification of ISMS
Query related to ISO 27001 ISMS - (Classification of Non - Conformity) In Advisera ISO 27001 Document toolkit, it is given/recommended that organization must provide classification for the risk. The query to be resolved are as follows: Whether organization is supposed to provide classification for Non-Conformities as well? If yes, please, suggest the method/mechanism to be adopted for the classification of NC's as well. -
Datacenter room
A question about what characterizes the CPD, where the room will not have any server only a firewall and internet modem, can it have wooden cabinets? what does iso 27001 charge? iso 27001 requires a room for endpoint maintenance, it can be next to the CPD room, there is a prohibition on having wooden furniture inside the room. -
Scope of the ISMS
I have some questions about the definition of the scope of the ISMS. We're a small software company (less than 50 employees) and we both develop and provide software as SaaS. I understand that the scope should include the whole organization (office, employees, assets, etc.), as well as the processes we've implemented to develop and maintain our software. What is not clear to me is whether we should make explicit mention of these software products. Isn't it implicit that any application developed according to the practices laid out in the ISO 27001 standard is inherently compliant with it? A previously answered question states that "an application cannot be defined as an ISMS scope." [1] Most certificates I've seen simply state "software development", but some do mention their software solutions in the scope definition (e.g. MongoDB [2]). Does that ultimately make a difference in our ISMS or is it merely a question of public image and marketing? -
Question about the risk assessment table
First of all, I wish you all the best for this new year, to you, the whole Advisera team as well as your loved ones. Starting this new year with our Risk Assessment Table, I was wondering how detailed it should be. I'm sure that, by thinking about it, I could add and add specific points, but I'll have to stop at a certain point. Any general advice about this? more concretely, as our ISO 27001 certification is focused on our SaaS platform, we use a lot of different cloud providers resources, like databases, servers, and many different tools. Is this a best practice to list them all and find potential threats and vulnerabilities for each one? Two examples: - We use *** and *** as 2 separate databases. Should I list both of them or can I "simply" mention that we use "databases" and find threats and vulnerabilities that are applicable to both of them? - We use *** and *** as documentation tools (that can include sensitive information). Should I address them separately? -
SOA; CONTROL APPLICABLE vs. CONTROL IMPLEMENTED?
1 - Can you help me explain the implementation of SoA? 2 - Is SoA acceptable if not all applicable controls are implemented? (control applicable) are not (control implemented)? -
ISO 27005:2018
I trust that you had a relaxed and safe Festive season. As I prepare for my deep dive into Information Security Audit and Risk Management, I have taken your advice and am reading ALL relevant Standards so as to ensure I can respond with confidence in respect to their importance on my journey. I found the following Statement in the “Introduction section of ISO 27005:2018” This document is based on the asset, threat and vulnerability risk identification method that is no longer required by ISO/IEC 27001. There are some other approaches that can be used Please be so kind as to provide your insight to the relevance to an ISO 27001 Risk and ISMS Implementation. Look forward to your valued response. -
Protection against abuse of rights
How can the threat of abuse of rights be countered in the CRM system? I know that cybersecurity awareness and training and NDA are solutions. Is another solution for this threat? -
04.1_Information_Security_Policy_Cloud_EN
Using your toolkit, I am writing 04.1_Information_Security_Policy_Cloud_EN. In the document, it is stated that to learn how to fill out this document, and to see real-life examples of what you need to write, watch this video tutorial: “How to Write the ISMS Policy According to ISO 27001”. However, I see some differences between the word document in the toolkit and the document in the video. Is this because they are different documents? Or Have there been changes made to the toolkit? If so, is there a video tutorial for 04.1_Information_Security_Policy_Cloud_EN? Moreover, the title of the 2 documents is different. In the toolkit it is "INFORMATION SECURITY POLICY" but in the video, it is "INFORMATION SECURITY MANAGEMENT SYSTEM POLICY". -
ISO 27001 package question regarding risk assessment
thanks for the call last week! I proceeded with the risk assessment. Just a small question: The evaluation of probability of a risk already takes into account the measures that we already have implemented - is that correct? Because in the methodology it says:
So that means: If we already have implemented several security measures for certain risks, the probability will be low in the risk assessment. This would lead to a quite small amount of not acceptable risks (3 or higher) that would be transfered to Anhang 2 "Verzeichnis Risikoeinschätzung" (currently around 12 risks to be transfered in our case).
Did I understand this correctly? Or do we need to evaluate the risk without taking into account the measures we already have?
Thanks for your help!
-
Cloud services auditability
Thanks for this… quite timely too as I am in the middle of undertaking research for a professional doctorate degree in information security. My research is around the auditability - or lack of - of cloud service providers by cloud customers. As a 3rd party assurance consultant we are getting more and more resistance from suppliers/partners of cloud services to audit them. My research aims to review existing cloud audit frameworks and draw out any gaps – and propose a new framework that allows CSP auditability. The proposal is to develop an audit authority that can perform audits of cloud service providers using the proposed framework. The audit reports can then be made available to businesses so they do not have to audit the CSPs themselves. I have contacted the CSA for their input and hoping to get their feedback soon. 1 - Would you happen to have mapping of cloud audit frameworks that highlights common controls and differences? 2 - Also what is your opinion on the Cloud Audit Authority proposal?