Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Needed Policies
Could you please provide me with the below policies. As per project plan i have to develop these policies. I understand some of them are non-mandatory but my supervisor has requested to develop these. The package i purchased does not have these policies.
Vulnerability Management Policy
Penetration Testing Policy
Cybersecurity Awareness Training Policy
Asset Management Policy
Wireless Access Policy
Endpoint Security Policy
Anti Virus Policy
Patch Management Policy
Log Monitoring Policy
Incident Response Policy
Regards
-
Supplier Security Policy
Hello Support, I hope you are doing well, I am planning to work on the SUPPLIER SECURITY POLICY, I have some questions: Do you have any SUPPLIER SECURITY POLICY questionnaire template ready on the toolkit or your website? Do you have any SUPPLIER SECURITY MANAGEMENT partner or suggestion that we could consider to use? In the 3.2. Screening, the policy says “[Job title] decides whether it is necessary to perform background verification checks for individual suppliers and partners, and if yes – which methods must be used.” What method does it mean? -
Incidente de segurança da informação
ISO 27001 - incidente de segurança da informação - qual o prazo para que seja feita a notificação e tratativa?
-
Removing approved risks in Conformio
How its possible to remove some threats and vulnerabilities that we already reviewed and approved? -
Vendor/third party risk management/assessment
I wonder if you have any document about Vendor\third party risk management\assessment? Also is it covered in ISO27001?
-
ISO 27001 audits
1. Can the same person who manages ISMS for the organisation do the internal audit? Is there a conflict of interest? 2. Does the internal auditor need to be technical in IT. Where system security applications as stated in the policies/ procedures, do the internal auditor need to verify its functionality/ effectiveness or only need to view documented materials. In another word, do the auditor need to test the system for validity? 3. Can an internal audit be carried out in stages over different timeframe or must be done in one process? -
Asset inventory
Hi! I'm a customer with you at the moment. I bought the ISO 27001 template package. One quick question: Should the Asset Inventory spreadsheet and the Risk Assessment spreadsheet always reflect each other? I mean should they always have the exact same assets? Currently, in my Asset Inventory, I have a "Dell XPS17" and a "Dell XPS15" but in my Risk Assessment I just wrote "company-owned laptops". Does it make any difference? -
Data Backup and Restore
Does the backup and restore process should be encrypted?
I Mean the tapes itself.
-
Control diversification
Hi, I'm a customer using your template package for ISO 27001. Quick question for the experts: I've read this thread in the community (https://community.advisera.com/topic/control-objectives-in-the-statement-of-applicability) but I'm still having some difficulties. We're a very small organization with a scope of 3-4 persons. We've never had a security incident. I know that you've added the "Control objective" column to make it practically easier, but I start to wonder if we should completely remove the column. The only control objective I can think of is "We want to continue having 0 (zero) security incidents". And sure, I can put in "We want to have zero security incidents due to (insert e.g., lack of patching, poorly managed access rights etc.) Currently, I've written the same thing in almost every control (formulated as a question though): - Has any incidents occurred due to failed control with access rights? - Has any incidents occurred due to the lack of security measures in the transfer of physical media? I cannot figure out how to diversify it. Can I completely ignore the control objective column and then just go by "We want to keep having zero security incidents. If we register any - how many? And due to what?" and then look to the weakness. -
10.1.2 Key management
I wanted to ask how I can check annex 10.1.2 Key management during the internal audit session what's needed to be satisfied these requirements.