Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Filling asset inventory
You told me that listing the consequences inside the Asset Inventory comes out of the Risk Assessment Table and isn’t mandatory (but best practice). So far I totally got it and it makes more sense as the comment says before. But here is the thing: If I take the asset "top management" for example, I have for one asset different consequences inside the Risk Assessment Table, cause I have more than one vulnerability and threat. One asset with two different consequence-levels. The Asset Inventory consists of the asset „top management“ but needs just one consequence-level, right(?) Or shall I put both consequence-levels for one asset inside the Asset Inventory?
-
ISO 27001-2019
First, please accept my apologies if there is a general email address to which to send inquiries, but looking through all the relevant correspondence I could not find any indication as to where to send questions so I am just replying here as you had specified in the email below. In any event, please feel free to redirect as you see fit and let us know if there is a specific email for inquiries moving forward.
-
Use of encryption
In the past years, encryption has become a key control for protection of integrity and confidentiality of data. Many organizations use encryption technology such as disk encryption provided by the OS with managed keys. I am surprised to see this statement as not allowed per IT Security Policy:auf einem lokalen Rechner Kryptographie (Verschlüsselung) zu nutzen, außer in den Fällen, die in der Richtlinie zur Klassifizierung von Informationen
(Use cryptography (encryption) on a local machine, except in the cases specified in the Information Classification Policy)
This seems to be an old control to ensure availability. In my view, any organization should make it mandatory to use the corporate encryption solution – and central key management. -
Transferred risks
En el analisis de riesgos, si se decide transferir el riesgo de unos activos, a un tercero, con quien existe un contrato de mantenimiento. Por ejemplo, se decide transferir el riesgo de un conjunto de serviodores muy criticos, a la empresa de mantenimiento. -
Risk and asset owner
Hola, tengo una duda en el analisis de riesgos. Puedo tener 1 activo, con 1 propietario del riesgo, distinto al propietario del activo y despues ademas, transferir el riesgo de este activo, a un tercero? por ejemplo: -
Defining ISMS scope and access profiles
Antes de plantearle una duda que tengo les pongo en situación: Mi empresa realizó previamente un análisis de riesgos por el que tenemos dicho análisis y la declaración de aplicabilidad (aplica todo), para avanzar en el objetivo de conseguir la certificación ISO 27001 se incorporó en nuestra compañía una responsable de cumplimiento legal y se ha puesto al frente para conseguir esta certificación, analizó los datos comentados antes y nos solicitó a IT las políticas de seguridad (este es el motivo de la adquisición de las plantillas: la creación de nuestras políticas en base a estas plantillas) -
ISO 27001 Objective measurement document
I am looking for document for ISO 27001, Objective measurement. We have the toolkit and it is not there ,maybe we can get it extra?
-
Document control
We have started the work and we do have the following question: when talking about the control of documents in paragraph 3 and 4 (internal and external documents) does that mean the ISO process documents or all documents within the organisation. I.e. Invoices/quotations/mail/ etc?
-
Hybrid approach for risk assessment
Can we perform Hybrid approach (Service based & Asset based) risk assessment? Also, can we create the process /methodology document likewise?
-
ISO 27001 implementation case studies
Are there any case studies available where ISO 27001 has been implemented successfully