Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 and SIEM
Me gustaria tratar el tema acerca de como integrar la ISO 27001 con la implementación de un SIEM, es decir, tengo claros algunos conceptos y algunas relaciones existentes, pero me gustaria fundamentar de mejor manera dicha integración y conocer mas acerca de la ISO 27001 para poder relacionarla.
-
Risk assessment process
I wanted to find out which ISO 27001 output documents are to be made ready before the Risk Assessment process commences?
-
RTO and MAO
Can the RTO be more than the MAO?
-
Risk Assessment software
What software do you use for making the assessment process?
-
IS Manager role
Please I will like to know the roles of IS Manager in any organization.
-
Document Control Procedure content
In the procedure for document and record control doc, it says...
“Each external document which is necessary for the planning and operation of the ISMS/compliance with GDPR must be recorded in the incoming mail register. The incoming mail register must contain the following information: (1) document number, (2) sender, (3) document name, (4) date of receipt, (5) name of the person to whom the document has been forwarded.”
1. Is this something that is needed for ISO?
2. How do I know which external documents are necessary for ISMS compliance?
3. Also is there an incoming mail register document as part of the templates? -
Security awareness training
Do you have any hint of what points to be taught in an awareness session to users?
-
Consequence and Likelihood after Risk Treatment
We are developing our Risk Register using the Advisera Templates. We have to mention the values of Consequence and Likelihood after the Risk Treatment i.e. Residual Risk. Will application of a control reduce the “Consequence” as well.
For example “Unauthorized Physical Access to data Center” may have a “High” consequence and “Medium” likelihood. After application of controls like CCTV/Door Lock we can reduce likelihood to “low” but will it reduce the “Consequence” as well.
Even after the control is applied if there is a breach it will have the same Consequences.
-
Internal audit after certification
Dear Advisera team, greetings. Just some clarification on the topic of the Internal Audits that one needs to do after the certification. Do we need to audit aspects of ISMS on the IA (like Leadership & Commitment (5.1))? I ask because the external auditors on the surveillance audit will for sure check the ISMS level of implementation on the business, but can I just check on annex A controls? What is mandatory (and what would you recommend)? Many thanks in advance.
-
Assets detail level and segregation of duties
We ordered your ISO27001 toolkit to prepare ourselves to XYZ audit. Our company XYZ is XYZ employee company developing and licensing own software as SaaS. Dev ops infrastructure is hosted internally but all SaaS services are provisioned from AWS cloud. Employees in our company are divided into two groups sales/marketing and developer. Developers have several roles because they are developing software, administering the production system and to some extent provide customer support. Most of the admin processes (finance and payroll) are outsourced. Typical arrangements in companies that are about our size.- I am struggling with 10.1 Risk assessment table level of details listing. Does the standard defines details assets or more importantly what is required in an audit. The catalog examples in the toolkit varies to very detailed to more general ones. For example can one asset be development operations system or do we need to break it down more in details like (eclipse as IDE, Git for version control, Jenkins for continues integration, Jira as task management, etc.). Similar question is our SaaS service can I describe it as one asset even though it has several technical components inside.
- Second question I have related to the separation of duties because we simply do not have enough development people to make strict roles between people because same people do make development and deploy version in production. Of course, there is well defined process to test and accept release candidate to be put in production.