Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Statement of Acceptance of ISMS Documents
We're a fairly small organization with only a few employees and a handful of 3rd parties helping us out with sales, compliance etc. We have used the "Statement of Acceptance of ISMS Documents". Could that be sufficient for "awareness training"? I mean that they sign this after reading all the documentation? Or we could add a few questions related to the policies that they were required to answer when submitting the statement? Would this be sufficient? Or is it expected by the auditors that we've bought some online tool to manage this such as the awareness training you and other companies offer? -
Conflicting approaches to Risk Assessment
I need to reconcile what appears to be two conflicting approached to Risk Assessment:
The toolkit's approach is as follows: Assets-Threats-vulnerabilities The Conformio approach is Assets- Vulnerabilities-Threats-Please explain
-
ISO 27001 - feedback about some documents
Could you please give me a feedback regarding these documents 10.1, 10.2, 11.2 and 12.1? There are indicated as mandatory. but we think that must be filled after the audit step right? Maybe only the document 10.1 must be filled now. We are waiting for some news. -
Implementing controls
Another question please, in implementing an ISMS to ISO 27001 standards, should all the controls in a particular policy be implemented? E.G. A12.1.1, Controls against Malware in the implementation guidance in ISO 27002, has 12 controls. Should all 12 controls be implemented in order to meet the requirements of the standard? -
ISO certification questions
I purchased the ISO 27001Toolkit and have two questions,
1) Is the risk assessment documents in the toolkit in line with ISO 27005, e.g. we as organization, after we are ISO Certified using the toolkit can say we adhere to ISO 27005?
2) ISO is international, it would be the same as Canada as it would for New Zealand as an example.
-
BCP
Me gustaria saber si tengo una empresa con un BCP ISO 27001 certifcada, si es compliance con la norma BS25999 o ISO 22301. si sirve o tiene los estándares de esas normas.
-
Asset, Incident and Problem Management
I only found a document for Change Management (Änderungsmanagement). I am also looking for Asset, Incident and Problem Management. Do you know if there are also Templates for it or is included in the Change Management Doc?
-
Question about Operating Procedures for IT Management.
I hope you are doing well. I have a quick question about what is meant by Operating Procedures for IT Management. Is that ISO required for year 1? Can you provide a sample if required?
-
Cryptographic tool
Hello Dejan,
Thanks for your message. I am really satisfied with the ISO 27001 document pack.
I am having some interrogations about filling the document 08_Annex_A_Security_Controls > A.10_Cryptography > A.10_Policy_on_the_Use_of_Encryption.docx.
I am confused about chapter 3. table, especially the part "Cryptographic tool".
Type of information: Laptop - Backup - Source code - Data at rest - Data ion transit
Cryptographic tool:OSX File vault - Hardware security module - Hardware security module - Hardware security module - TLS 1.2
Encryption algorithm: XTS-AES-256 - AES-256 - AES-256 - AES-256 - ECDHE-ECDSA-AES128-GCM-SHA256
Key size: 256 bits - 2048 bits - 2048 bits - 2048 bits - 256 bits
Can you confirm to me I understood and fill this table correctly ? Or I mixed up some information?
Thanks a lot for the clarification and have a great day.
-
Questions regarding the template of ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit
My company purchased ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit. While working on them, I am confused with one of the templates, A9.1_Access Control Policy. Can you please assist me to understand? 1) Which section does “privileges in respect to the abovementioned user profiles” in 3.4. Organization’s privilege management refer to? Is this 3.2 or 3.3? 2) If it’s 3.3 then looks like 3.4 and 3.5 will cover the same thing? 3) But, section 3.7 mentions “Organizations’ personal defined in 3.4 as responsible for granting administrative access rights to its public cloud services, platforms, and infrastructure…”. Which makes me wonder 3.4. is for 3.3. Is it correct? Or, this should be “Organizations’ personal defined in 3.5 as responsible for granting administrative access rights to its public cloud services, platforms, and infrastructure…” Can you please explain as I am not clear what to cover in those sections?