Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Encryption for Backup/Restore
1 - Do we need to encrypt all data during the backup/Restore process or not?
2 - If yes , do we need to encrypt all the data or we need to classify the data?
3 - Who will decide what data should be encrypted?
-
Disaster Recovery Plan
1 - May I ask, is the Disaster Recovery Plan a good control to start with, and the most important one. Also, it consists of many other controls that would then be covered at the same time?
2 - I suppose our Head Software Developer who also is in charge of Server Maintenance, would that be the person to document these steps. As it is much more complex than just “copy-paste install backup.
-
Vulnerability Assessment & Penetration Testing policy
I can't find Vulnerability Assessment & Penetration Testing policy. I don't see it included in A.12.1_Security_Procedures_for_IT_Department_27001_EN. -
15.1. Control Document
I have previously had advise that individual control documents are available, which i have reviewed, but our auditor has specifically asked to develop a control document for 15.1.3 Information and communication technology supply chain, we already have a 15.1.1 and a 15.1.2. The supplier security policy appears to be more related to 15.1 but would it also cover policy required for ICT supplier arrangements as required in 15.1.3 -
Documentation of requirements
I checked the document one by one against the ISO27001 Standard. Below is the clause that I could not find being addressed in your ISO27001 Documentation Toolkit. Could you please confirm whether the toolkit is tailored to the specific organization or environment? 4.1 Understanding the organization and its context 5.1 Leadership and commitment 6.1 Actions to address risks and opportunities 6.1.1 General 7.1 Resources The organization shall determine and provide the resources needed for the establishment, implementation, maintenance and continual improvement of the information security management system. 7.4 Communication 8.1 Operational planning and control 9.1 Monitoring, measurement, analysis and evaluation 10.2 Continual improvement The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system. A.5.1.1 Policies for information security A.5.1.2 Review of the policies for information security A.6.1.1 Information security roles and responsibilities A.6.1.2 Segregation of duties A.6.1.3 Contact with authorities A.6.1.4 Contact with special interest groups A.6.1.5 Information security in project management A.7.2.1 Management responsibilities A.7.3.1 Termination or change of employment responsibilities A.9.4.2 Secure log-on procedures A.9.4.4 Use of privileged utility programs A.9.4.5 Access control to program source code A.11.1.1 Physical security perimeter A.11.1.3 Securing offices, rooms and facilities A.11.1.4 Protecting against external and environmental threats A.11.1.6 Delivery and loading areas A.11.2.1 Equipment siting and protection A.11.2.2 Supporting utilities A.11.2.3 Cabling security A.11.2.4 Equipment maintenance A.12.1.3 Capacity management A.12.1.4 Separation of development, testing and operational environments A.12.4.4 Clock synchronisation A.12.6.1 Management of technical vulnerabilities A.12.7.1 Information systems audit controls A.13.1.3 Segregation in networks A.14.2.3 Technical review of applications after operating platform changes A.17.1.1 Planning information security continuity A.17.1.3 Verify, review and evaluate information security continuity A.17.2.1 Availability of information processing facilities A.18.1.3 Protection of records A.18.1.4 Privacy and protection of personally identifiable information A.18.2.1 Independent review of information security A.18.2.2 Compliance with security policies and standards A.18.2.3 Technical compliance review -
Scope of ISMS
Regarding the implementation of the ISO 27001 standard, we are in the process of determining the scope. Our company deals with the following areas: 1. development of IT solutions, 2. digitization of documents, 3. hosting and 4. by keeping a paper archive of our clients. It is clear to us that the first three areas need to be in scope. It is not clear to us whether there should be a paper archive in the scope. We would appreciate advice on this issue. -
Terminating Employee
I want to terminate one employee, as he doesn't adhere to his job responsibilities. how can I do without breaching our ISO 27001?
-
ISO 27001 implementation
My questions relate to the ISO 27001 policy and the standards and guidelines for implementation. I need to know if the documentation toolkit is inclusive of written policies and standards for implementation.
The A.12 Protection against Malware policy for example has the control objective of ensuring that detection, preventive and recovery controls should be implemented.
In my new organisation, the standards for implementing the Controls against Malware covers detection and prevention but makes no mention of recovery. Do I include recovery controls in the standard?
Also some policies overlap into different clauses i.e. A16 Information Security Incident Management and A17 Information Security Aspects of Business Continuity, should there be a single policy that is used to reference a similar control or there should be different policies relating to the same subject?
-
BYOD
In the BYOD Policy and the Secure development policy there are documents that are mentioned in the table such as "Procedures for secure information system engineering" and "Testing plan for security requirements and system acceptance" where can we find these documents?