Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Questions about ISO 27001 implementation
Hi team, I'm not sure if this is the right place. I purchased the ISO 270001 templates package and have a couple of questions:
1. I already read ISO 27001 standard but I've not purchased it yet. We're ready to purchase the document, but I see it also refers to ISO 27000, 27002, 27003, 27004, 27005 and 31000. Do we need to purchase all those documents to pursue certification?
2. We have defined the following objectives for the ISMS:
- Create a better market image which will let it acquire or retain security-conscious clients, at least 4 during next year
- Ensure service uptime of 99.95% throughout the year
- In case of disaster, data loss of a maximum of 24 hours, with time to recovery of 6 hours
- Conformity with data privacy and security regulations
- Reduce the damage caused by potential incidents
- Ensure the confidentiality of the customer data handled by the companyAs you can see, some are measurable but some are not. Is there an obligation to make those measurable? What happens if the objectives are not achieved?
3. When preparing the Risk Assessment, some of the risks are under the domain of a supplier. For example, our servers are hosted on a data center and we have a supplier that sub-contracts and manages the servers. How is the appropriate way to document those risks? I'm guessing we still have to list the risks (for example a breach in a server) and then in the Risk Treatment table we'll specify those risks are transferred to a third party? Or should it be instead "selection of controls", regardless of who does it, and then we would draw a contract with the supplier to apply those controls?
4. Our company is fully remote, our employees and contractors work at home. I guess this is an important thing to mention because it affects how the risk analysis is made (for example, there is no "office" asset, which maybe the auditor would not understand). Where is the best place to document this?
-
A.5 Information Security Policies
Why are there no templates in the Toolkit for the controls under A.5 Information Security Policies? I would have expected to find these in the folder A.6_Organization_of_Information_Security.
-
ISO27001 - How to meet the requirement of A.17.1 and A.17.1.2
Organisation has a DR network but no policies such as BCP nor DRP - What steps/approch should be taken to achieve compliance for the following A.17.1 & A.17.1.2 -
ISO 27001 statutory requirements
How meet acceptable ISO 27001 statutory requirements, within reasonable resources at disposal?
-
How to use ISO 27001 in the hospital
How to successfully implement ISO 27001 in the hospital?
-
Where do you see ISO 27001 in the future?
Where do you see ISO 27001 in the future compared to the more widely known standards such as ISO 9001 and ISO 134001? Will it be the most important standard in the future due to the change in working routines?
-
Interested Parties
I am currently writing the document for interested parties (ISO 27001:2013). Is it mandatory to write the names of the clients, or can we just categorize them as "clients" or "food clients"?
-
Annex A.17.1/2/3
To explain what Annex A.17.1/2/3 really means and what is required to show compliance