Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISMS question about scope
I have got a question regarding the ISMS scope. Do we have to include a Location in the scope if we primarily work as a virtual team?
-
Scope confirmation
I´m taking your ISO 27001 course. Very impressive.
As far as I understood... the ISMS applies in services/departments not in a final product.
Can you give me an opinion about the scope below?
"The management of information security in the provision of all products and services at all locations, within all business units of xxx Corporation"
The xxx company is a very small-sized company with just 08 employees.
-
Information classification and labeling
I have asked for documentation to review if they have the correct label of confidential or restricted, the documentation sent did not have any labeling and I put an observation there, but the audited answered me this:
"Information requested for audit is defined as confidential by principles and definition. it can't be used to mark as evidence related to information classification and labeling. The correct evidence is if the auditor find evidence of restricted and confidential information is shared between the scope without correct labeling."
Is this correct? I took it as a non conformity because the record and reports did not have the apropriate labeling.
-
Benefits of asset-based approach
I am looking at this article right now:
https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identificationAnd I didn't understand what the benefits of an event based approach are instead of an asset-based approach...
-
Finding an auditor
I have been taking a look at your offering, attended yesterday’s Webinar and will attend more and for now it feels like your offering could very much fit our requirements.
We are likely one of those ‘could do it almost by ourselves – but need help with some items’ companies.
Me personally have not rolled 27001 yet but used to work with controls, procedures, policies, etc.
The biggest question mark for me right now is how to find an auditor that could fit in this approach. Do you have any recommendations on that?
-
Recommendations for the registrar
I was checking to see if you had recommendations for the registrar that would be auditing our company should we pursue the ISO 27001 certification. Thank you.
-
Calculating ROI for ISO 27001 ISMS implementation program
How the best way to calculate the ROI for a ISO27001 ISMS implementation program? -
Clause 7.5.1
Hi Dejan Hope you are well. I had a quick question please. Clause 7.5.1 has a "shall" but the procedure for documentation control is not marked as a mandatory document in your checklist. I was wondering what could be the reason for that? Thank you -
Protecting and keeping data safe
The question I had: Do we as a company get by extension the benefits of cloud companies having all the certificates and good practices when it comes to protecting and keeping data safe. We are working with *** and ***. An example scenario would be an auditor asking my company how we back up data? And our answer is that we back up our data on 2 different servers: *** and *** for example. Would that be OK? Since we are not the ones responsible for the data, but we are offloading this to a much more secure company. Is this something that we can evaluate as low risk and not implement special controls when it comes to protecting this data, since we are getting the benefits of using a cloud provider?
-
Career in compliance
I want to make career in compliance although I have 1.5 years experience of infosec. How do I start it?