Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Cyber-security Career
I am a Software professional having around 16+ years of IT experience, worked as Developer, Support Lead, ERP Technical Manager and Delivery Manager, etc.,
For the last couple of years, I wanted to venture into the Cybersecurity domain and start my career in the Cybersecurity space.
Could you please advise me on how to and where to start my path into this interesting zone? -
Remote audit
Hi - I am getting ready to conduct an ISO 27001:2013 internal audit of an organization. The plan was to conduct onsite visits in other countries. Question: Can I conduct a remote audit if possible?
-
Risk assessment
A question about Risk Assessment: we're a small company (5 full time, 2 part-time staff). It would be simpler for us to say that the Information Security Officer is the asset owner for all assets. Is there a problem in doing that?
-
ISO 22301 book
Sorry to disturb you I'd like to ask you if the 22301 book on amazon is related to 2019 version or 2012 thanks
-
ISMS documentation
How do I construct an ISMS document and supporting documents?
My management is not in agreement to do Business Impact Analysis Worksheet and Risk and opportunities Register to proceed.
How can I convince them to do so?
I need your continuous support in managing ISMS to achieve certification. -
Template content - List of Legal, Regulatory Contractual requirements
Now I have 2 questions if you could help me with these:
If I choose to use: 02.1 Appendix 1 (List of Legal, Regulatory Contractual requirements) right at the start of the Project (because also Annex A 18.1.1. control is likely to be applicable), could you explain me:
- 1. How detailed description should be used when documenting “legislative, regulative and contractual requirements”? I mean do you need to write down the Act of the suitable law and name every individual contract and its points (vendor name, contract point and description of the matter)?
- 2. What does the standard mean to “identify and document organizations approach to these meet these requirements”?
-
Templates content
Hi, which templates cover the following ISO 27001 clauses?
A.8.3.1
A.12.5.1
A.12.6.1 -
Templates content - RTO and RPO
Today we bought the toolkit BIA according to the ISO 22301:2012 version of the standard. But, checking the document I cannot identify the (RTO and RPO) values.
These values are very important for us because our customer is requesting as a part of the BIA report.
How can identify, relating or include these values in the Excel questionnaire? -
Templates and applicable controls
I have downloaded the Files saved under my Project. I have a Question here. Since there are around 114 Controls listed in the ISO 27001 Manual, do we here have each Template for each Control or one Template can be used for the documentation of the multiple Controls. For e.g you find attached the A.8.2 Template for the Documentation and in the Documentation (IT Security Policy) the below text is mentioned. So the Question is whether is the attached Document only for A.8.2 Valid or it is valid for all the Controls mentioned in the below screenshot. -
Corrective actions
I do have one more question about best practices for ISO 27001 implementation regarding corrective actions.
Let's assume the scenario:
- We have implemented ISMS policy
- During the internal audit, we have found out non-conformance to the policy in a specific area/control.
We can take three decisions based on known risks:- Register non-conformance and resolve it in short-term
- Register exception to policy for 6-12 months
- Modify policy since it was too strict
The option to address it in short therm is always the best, but I want to find out the best practices for long-term solutions (option 2).
Is it better to keep the non-conformance list or exception list and revalidate it every time?