Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk assessment Vs SoA
Dears, Once we handle Risk assessment and treatment plan, we will choose the controls necessary to reduce related risks. in SoA we have to go through 114 control and choose which of them are implemented or will be implemented or not applicable. So we are repeating the same steps in both Risk assessment and SoA ... so why not only go through the 114 control and this will cover both steps (controls needed to reduce the risk and SOA process) Appreciate your feedback -
About the IT security Policy and some documents mentioned as "implementation method" in the SOA
1. Filling the IT security policy we went into trouble on 2 points : 3.12.2. Clear screen policy Our current communication to employees is to lock the screen whenever they leave their desk and to shut down when they leave the office (with or without the PC), and at least every evening. Our PC are also configured to lock automatically the screen with a password after 5mn without actions. But we don’t have any automatic log out nor automatic shutdown. After a discussion with our IT administrator he does’nt know any solution to do so. Looking around with our consultants, none have seen such solution implemented by our customer, even the most concerned with security. Then we decided to continue with the current situation. However, describing the current policy is not possible and that automatic shutdown option cannot be removed from the IT security policy in Conformio… Could you help us? 2. 3.14. E-mail and other message exchange methods Trying to fill that chapter, we found some ambiguity in the usage of the term “Users” “Users may only send messages… Users must not send spam...” : the user is an inspearit employee sending mail “Should a user receive a spam…” : we understood that the user is probably one of our prospect who do not want to receive such mail “The user must save each message containing…” : the user is an inspearit employee receiving significant mails Did we understood well? If so, the thing is that we cannot clarify the sentences 2 and 3. It would be more explicit if “Users” were replaced by inspearit employees or prospect when applicable. In another hand, our Marketing and communication director doesn’t think that inspearit send any “spam”, but some informative or commercial communications… Once again, could you help us? -
Content of ISO 27001 & EU GDPR Toolkit
I´ve already seen the included documents, but I didn´t see:
which is a mandatory document for ISO 27000. Could you confirm please that it´s not a mistake?
In our company, we have our documentation for GDPR and ISO 27000 but we would like to improve it on our own using your templates and maybe be able to offer it to help some of our clients where possible.
-
CONTROLS A.18.2.1 AND A.18.2.2
How to implement this control when the company is very small, that is, it has 6 employees? Critical analyzes are usually carried out by the entire company team. In this situation, would it always be necessary to hire a specialized external organization, as suggested by the ISO27002 standard? -
Help with management review
I am enjoying the course thank you, and my company are going to pay for me to take the exam which is really good. I would like some help doing my first management review this week if you have any tips or templates on what I should be doing for this. -
ISO 27001 Mapping to CSA CCM Matrix
Where can I find the Advisera Matrix that maps ISO 27001 to CSA CCM (Cloud Security Alliance – Cloud Cloud Control Matrix) ? I have the ISO 27001 toolkit and do not see it there. I believe this was a downloadable doc from your Blog or Free Downloads section of your website not too long ago. -
How to fill out "Appendix 1 - List of Legal, Official, Contractual and Other Requirements
Do you have a specific company example of how to fill out "Appendix 1 - List of Legal, Official, Contractual and Other Requirements"? Unfortunately, the description in the document does not help me, nor do the linked articles. We need concrete examples to apply this to our company. - The same applies to the definition of the ISMS scope. Unfortunately, the linked articles do not help here either. Do you have an example from a company of what the definition can look like? -
Identifying Assets
One of our primary assets is our customer data which must be kept private. This data is primarily stored in an SQL database, but can also be found in printed form, email, staff member’s brains etc.
Since the customer data can take on so many forms the risks are relevant only to the form in which it takes.
So rather than list “customer data” as an asset, would I list each form of the data as separate assets i.e.
- Customer data in SQL database
- Customer data accessible by web application
- Customer data in printed form
- Customer data transmitted verbally
- Customer data in the minds of employees
-
IR35 compliance and ISO 27001
Hi Dejan, I wondered if you might be able to answer a query on IS27001 in conjunction with the IR35 legislation that is a hot topic for contractors at the moment. I have concerns that imposing ISO27001 training and asking contractors to adhere to our rules (using a company-controlled laptop rather than their business laptop for example) will go towards the contractors looking like a "disguised employee". Have you come across this issue before? -
Grouping of Assets in Risk Assessment Table
I’m working through the videos/templates that we purchased from you, and I have a question regarding the listing of assets in the Risk Assessment table. We have 6 or 7 desktop PCs in each of our offices. Do I need to list each PC separately and repeat the same risk information over and over again in the Risk Assessment table, or can I just group them as “PCs Office 1” and “PCs Office 2”?