Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
SOA Based ISMS Manual
We have now taken the first steps, but are still waiting for the release of the ISO standard for 2022.
We also want to align our SOA with this new version. I intend to structure the SOA in such a way that I have a high-level document that only contains the controls and the selection including the justification - the document is also available to customers because they have already asked for it in the certification process. The 2nd level describes the requirements from the standard and our planned and implemented implementation in more concrete terms - this also results in a kind of "Security Management Manual".
I have attached an initial draft for A5 (Organizational Controls) (2022). What do you think of it, does this procedure suit an auditor?
-
Position Description Question
I wanted to touch base with you about a quick question. This is about ISO27001 control regarding stipulating Information Security obligations in Position Descriptions.
We are an ISO-27001:2013 compliant company and we have generic Info Sec roles and responsibilities articulated in our Position Description.
I wanted to know if there is a need to articulate role-specific Info Sec roles and responsibilities as well in PD’s. For example, a Backup Engineer’s Info Sec roles and responsibilities would be different than that of a Network Engineer. Some views in our company are that it would be overkill as ISO doesn’t mandate going into such details.
-
Necessity to include specific user
Hi, as an IT Security Engineer I am the "Project Manager" for our company (as a role in Conformio). We have a senior project manager at our company as a consultant for ISO27001. He is sporadically consulted on our documents due to his experience in ISO certification. Do we need to include him in our Conformio and documentation or not with regard to the ISO27001 standard or not?
-
HR as asset and risk owner of SA
Could you elaborate a little bit more on this one?
How HR is asset and risk owner of SA, and the threat is social engineering.
-
Asset inventory
A question arose about the item “asset inventory”: in control A.8.1.1, should the table contain all assets individually or by group as in the risk analysis table?
Example: In the risk analysis, we identified a group of professionals as “specialist employees” and did the risk analysis on this asset, then in the asset inventory table do we need to define each of these people? Another example: we also defined in the risk analysis worksheet “employees' computers” as an asset, in the inventory table do we need to specify one by one?
-
Career in GRC domain.
Apart from your foundation what cybersecurity certification I should be looking for as a starter in GRC domain.
-
ISO 27001 Management Review : Fulfillment of the security objectives
Greetings all.
I have a question about one the topic to be addressed during the ISO 27001 Management Review. The Fulfillment of the security objectives.I have some challenges to present this topic.
To fulfill this requirement I was thinking of addressing the ISO 27001 6.2 requirements (6.2. f what will be done, 6.2.g, what resources will be required, 6.2.h who will be responsible, 6.2.i when it will be complete, 6.2.j how the results will be evaluated) through a table that would contain columns for these different topics:
Recommendation (from the risks assessment)
Risks (covered by the recommendation)
Roadmap Project (which contain all the details of the resources, the deadline, the responsible)
Related Security Objective
Related KPI with target
Progress Status of the project.Is it something that you think can help address this ?
Thanks for your valuable recommendations.
-
Doubts about the package of documents to buy
Hello, I would like your advice on what package of documents is useful for me to work on some rules and policies of ISO 27,000.
I have to comply with these points:
1. Secure management of electronic and paper information (secure means of printing, storage, transfer).
2. Timely management of critical and security updates of the operating systems of any equipment and corporate applications that receive, process and/or protect CLIENT information.
3. Correct administration of the antivirus systems that protect the equipment that receives, processes and/or protects the CLIENT's information.
4. Appropriate controls to protect against unauthorized access to IMR's corporate networks (protection of wired and wireless networks, intrusion detection, etc.).
5. Adequate controls over the privileges/profiles of all users, as well as administrative permissions exclusively to prevent the installation of unauthorized software, blocking of portable applications, games, unauthorized programs and any other code or executable files that could put at risk the information that is processed in the equipment with access to CLIENT information.
6. Appropriate controls for good use of internet connectivity, taking care that CLIENT information cannot be exposed in services such as public email, instant messaging, social networks, discussion forums, file sharing sites, among others. .
7. Appropriate procedures for the correct administration of Security Incidents (information theft, misuse of information, damage to equipment with CLIENT information, among others).
8. Appropriate controls for access to equipment containing CUSTOMER information, procedures for managing users due to employee termination or role changes, etc.
9. Correct controls to guarantee the integrity of the equipment when it is unattended (automatic locks with screen protection, physical locks to secure equipment, etc.).
10. Correct and complete documentation to ensure that the personnel who access the CLIENT's information have complied with a formal hiring process, signature of confidentiality agreements, among others.
11. Appropriate procedures to control confidentiality agreements with third parties, indicating the prohibition of contracting/sharing/accessing CLIENT information with unauthorized third parties, without having previously documented the CLIENT's authorization.
-
Query on ISMS Scope
I had a small query on the outlined ISMS scope in the organisational units.
Can you check the attached image if it is correct for the organisational unit highlighted scope?
- I have added myself (IT security admin) and the Internal Audit Team.
- I will be leading the ISMS implementation while the Audit team will perform the internal audit of the ISMS implementation.
- With the location and network in scope and out of scope,
- Can we include all offices in scope as listed in the previous document as the outsourcing team will be working across Nepal offices?
As we cannot segregate office locations specifically for the outsourcing division, we will assess and implement ISO controls accordingly for the outsourcing team.
- I have added myself (IT security admin) and the Internal Audit Team.
-
Questions related to ISO 27001 Controls
I am curious to know about the coverage of all controls during the external audit. To one of my question, you said that only the controls which are applicable can be considered.
So, my next question is I am working for an IT Software company and Can I skip any or all the following controls:
A 6.2 Mobile devices and teleworking
A 7: Human resources security
A 8: Asset Management
A9 : Access control
A 10 : Cryptography
A 11. Physical and environment security
Please advise. I would like to know:a. What are the criteria for selecting a control?
b. What all are the mandatory controls (a must control) which the external auditor would like to see for certifying the company?
My understanding is that all the controls are applicable to all the industries, companies etc. Hence the question.