Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISMS Policy vs Information Security Policy
Are the ISMS Policy vs Information Security Policy the same or different polices? -
SOA Table ISO 27018 specific controls for processing Personally Identifiable Information (PII)
The ISO 27018 table in the Cloud Toolkit SOA are completely wrong in terms of clause ids. when mapped to the standard. This is a mess. Are the references in the toolset documents for the 27018 clauses wrong too ? Can you please fix asap. I need a table of which of your documents that map to the renumbered clauses in ISO Standard. -
Question - ISO 27001
Hello – I am a partner with you and have the following situation I hope you could advise on….. I have a client who has 1 Director and no employees, and he uses Contractors (Suppliers) to perform all the work for him – and he is looking for ISO 27001 certification His business is a website registration system, and it is mostly Software/website development. Questions: 1. How do you put in place HR systems when there are no employees ? Would this be more about Supplier management ? and supplier worker management ? 2. With Software Development - Would they either: (a) require suppliers to follow his requirements or ISO Compliant software development manuals. OR. (b) require the subsidiary to produce there software development manual (which meets the requirements of ISO 27001) – which he approves? I hope you can advise? -
ISO 27001 implementation requirement
The instructor has mention that "conducting the risk assessment is in plan phase? which is an actionable and more to be in Do phase? -
Can private hardware used for business purposes be excluded from the scope?
A question has arisen regarding the documentation toolkit for ISO 27001: Under what circumstances may private hardware used for business purposes be excluded from the scope - is this allowed according to ISO 27001, 27017 and 27018? -
Device asset tracking
I have been involved with ISO27001 accreditation in my previous role. My main question was around the device asset tracking. For an asset, is the serial number an accepted method of identifiable name for a device? -
Creating, reviewing, and approving documents
Who shall create, review, and approve documents (i.e., policies and procedures) for ISO 27001? The practice in our organizations is that all Corporate Service Unit Heads that would be affected by the documents need to sign will be "Endorsers" for the documents. I would like to propose that they minimize number of approvers. But I need justification for the proposal. I just need a justification for reducing number of signatories for the documents so that the routing would be lessen. I mean the governance team would be the signatories instead of a lot in the list. -
Risk re-evaluation processes Risk Treatment and Annex A controls
If you could help me with this question about documenting Risk re-evaluation processes Risk Treatment with ISO certified SOA already in place: Is it mandatory to document the mapping process in other words choose the Annex A controls to the relevant risks in the 05.2_Appendix_2_Risk_Treatment_Table, from the drop down menu or is it enough that applicable controls are determined [necessary to implement, 6.1.3.b)] and compared [with Annex, A 6.1.3. c)] only in the SOA? I’m conducting risk re-evaluation and if any new controls are applicable, I believe I’m able to spot them and write them straight to SOA without mapping all the controls beforehand in RT Table.