Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Question about the risk assessment table
First of all, I wish you all the best for this new year, to you, the whole Advisera team as well as your loved ones. Starting this new year with our Risk Assessment Table, I was wondering how detailed it should be. I'm sure that, by thinking about it, I could add and add specific points, but I'll have to stop at a certain point. Any general advice about this? more concretely, as our ISO 27001 certification is focused on our SaaS platform, we use a lot of different cloud providers resources, like databases, servers, and many different tools. Is this a best practice to list them all and find potential threats and vulnerabilities for each one? Two examples: - We use *** and *** as 2 separate databases. Should I list both of them or can I "simply" mention that we use "databases" and find threats and vulnerabilities that are applicable to both of them? - We use *** and *** as documentation tools (that can include sensitive information). Should I address them separately? -
SOA; CONTROL APPLICABLE vs. CONTROL IMPLEMENTED?
1 - Can you help me explain the implementation of SoA? 2 - Is SoA acceptable if not all applicable controls are implemented? (control applicable) are not (control implemented)? -
ISO 27005:2018
I trust that you had a relaxed and safe Festive season. As I prepare for my deep dive into Information Security Audit and Risk Management, I have taken your advice and am reading ALL relevant Standards so as to ensure I can respond with confidence in respect to their importance on my journey. I found the following Statement in the “Introduction section of ISO 27005:2018” This document is based on the asset, threat and vulnerability risk identification method that is no longer required by ISO/IEC 27001. There are some other approaches that can be used Please be so kind as to provide your insight to the relevance to an ISO 27001 Risk and ISMS Implementation. Look forward to your valued response. -
Protection against abuse of rights
How can the threat of abuse of rights be countered in the CRM system? I know that cybersecurity awareness and training and NDA are solutions. Is another solution for this threat? -
04.1_Information_Security_Policy_Cloud_EN
Using your toolkit, I am writing 04.1_Information_Security_Policy_Cloud_EN. In the document, it is stated that to learn how to fill out this document, and to see real-life examples of what you need to write, watch this video tutorial: “How to Write the ISMS Policy According to ISO 27001”. However, I see some differences between the word document in the toolkit and the document in the video. Is this because they are different documents? Or Have there been changes made to the toolkit? If so, is there a video tutorial for 04.1_Information_Security_Policy_Cloud_EN? Moreover, the title of the 2 documents is different. In the toolkit it is "INFORMATION SECURITY POLICY" but in the video, it is "INFORMATION SECURITY MANAGEMENT SYSTEM POLICY". -
ISO 27001 package question regarding risk assessment
thanks for the call last week! I proceeded with the risk assessment. Just a small question: The evaluation of probability of a risk already takes into account the measures that we already have implemented - is that correct? Because in the methodology it says:
So that means: If we already have implemented several security measures for certain risks, the probability will be low in the risk assessment. This would lead to a quite small amount of not acceptable risks (3 or higher) that would be transfered to Anhang 2 "Verzeichnis Risikoeinschätzung" (currently around 12 risks to be transfered in our case).
Did I understand this correctly? Or do we need to evaluate the risk without taking into account the measures we already have?
Thanks for your help!
-
Cloud services auditability
Thanks for this… quite timely too as I am in the middle of undertaking research for a professional doctorate degree in information security. My research is around the auditability - or lack of - of cloud service providers by cloud customers. As a 3rd party assurance consultant we are getting more and more resistance from suppliers/partners of cloud services to audit them. My research aims to review existing cloud audit frameworks and draw out any gaps – and propose a new framework that allows CSP auditability. The proposal is to develop an audit authority that can perform audits of cloud service providers using the proposed framework. The audit reports can then be made available to businesses so they do not have to audit the CSPs themselves. I have contacted the CSA for their input and hoping to get their feedback soon. 1 - Would you happen to have mapping of cloud audit frameworks that highlights common controls and differences? 2 - Also what is your opinion on the Cloud Audit Authority proposal? -
Risk assessment Vs SoA
Dears, Once we handle Risk assessment and treatment plan, we will choose the controls necessary to reduce related risks. in SoA we have to go through 114 control and choose which of them are implemented or will be implemented or not applicable. So we are repeating the same steps in both Risk assessment and SoA ... so why not only go through the 114 control and this will cover both steps (controls needed to reduce the risk and SOA process) Appreciate your feedback -
About the IT security Policy and some documents mentioned as "implementation method" in the SOA
1. Filling the IT security policy we went into trouble on 2 points : 3.12.2. Clear screen policy Our current communication to employees is to lock the screen whenever they leave their desk and to shut down when they leave the office (with or without the PC), and at least every evening. Our PC are also configured to lock automatically the screen with a password after 5mn without actions. But we don’t have any automatic log out nor automatic shutdown. After a discussion with our IT administrator he does’nt know any solution to do so. Looking around with our consultants, none have seen such solution implemented by our customer, even the most concerned with security. Then we decided to continue with the current situation. However, describing the current policy is not possible and that automatic shutdown option cannot be removed from the IT security policy in Conformio… Could you help us? 2. 3.14. E-mail and other message exchange methods Trying to fill that chapter, we found some ambiguity in the usage of the term “Users” “Users may only send messages… Users must not send spam...” : the user is an inspearit employee sending mail “Should a user receive a spam…” : we understood that the user is probably one of our prospect who do not want to receive such mail “The user must save each message containing…” : the user is an inspearit employee receiving significant mails Did we understood well? If so, the thing is that we cannot clarify the sentences 2 and 3. It would be more explicit if “Users” were replaced by inspearit employees or prospect when applicable. In another hand, our Marketing and communication director doesn’t think that inspearit send any “spam”, but some informative or commercial communications… Once again, could you help us? -
Content of ISO 27001 & EU GDPR Toolkit
I´ve already seen the included documents, but I didn´t see:
which is a mandatory document for ISO 27000. Could you confirm please that it´s not a mistake?
In our company, we have our documentation for GDPR and ISO 27000 but we would like to improve it on our own using your templates and maybe be able to offer it to help some of our clients where possible.