Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Help us understand each other better
Dejan, I know as part of the toolkit I can ask questions via email – but I am not sure who I am supposed to ask. So you win 😊 We are in the process of starting to implement the various components of ISO27001. Most are not documented yet. I am also starting my internal audit program planning. Here is my questions: Do I need to complete an internal audit of ALL areas of ISO27001 BEFORE I can schedule/conduct my first external regulatory audit? It is my understanding that as part of continuous monitoring of the systems most companies break down the audit into sections and in a rolling 3 year period cover the entire standard. If that is the schedule I create, then my first external audit I will only have a portion of the standard covered by internal audit. Is that acceptable? Assuming it is, how much of the standard do you think (and I understand this is subjective) we should have completed before the external audit. Please let me know if you have any questions -
ASD ISM to ISO 27001 mapping
I'm trying to find document that maps the ASD (Australian Signals Directorate) ISM (Information Security Manual) controls to the ISO 27001 elements / controls. Do you know of such a document, or can you point me to someone who may know? -
multi location vs BIA and RA performing
Hi, I would like to perform a BIA analysis based on the Advisera form. I have read your article - How to define activities when implementing business continuity according to ISO 22301. He's great and translates a lot. However, I have a problem with the approach to analysis in my case. The company has a department which comprises 40 locations. They carry out the same activities but independently. An average of 100-150 people in one location. 1. Should I analyze the entire department at once and sum up the effects of losses (qualitative and financial) from all 40 locations? 2. Should I choose the largest location and analyze only one? 3. Or maybe I should complete 40 questionnaires? I would like my approach to be in line with good business continuity practices. How to conduct a risk analysis in this case? I understand that I need to analyze the risks for 40 locations? -
Help with ISMS Scope Definition
Hi Dejan, Hope you are doing well. I bought your toolkit, but I still have some issues with the SMSI documents preparation. For instance : - The Document of the scope The company has around 120 employees, has 2 sites, and 3 different activities: IT Solution integration, Training, and Cloud service provider. One site contains the IT Solution integration and training Divisions with the HR & Commercial Departments, the other site contains the Cloud Division. The company wants to certify only the Cloud Activity, but I want to check if we should include in the Scope the HR and Commercial departments to respond to the A.7 requirements and the security of customers personnel information & customers Contracts. - The Business Continuity Should we also prepare all the documents related to A.17 requirements even if the company doesn't plan to include the SMCA and business continuity certification in this scope ? Thanks in advance for your support. -
Question about SoA
Dear Dejan, I have a question for you about the Statement of Applicability. I’m doing an ISO 27001 implementation at a software company and the shareholders have given us only a couple of months. So I want to do a minimal project, doing only all the necessary policies, with the idea that we can expand on that in the coming years. So I looked at what documents are mandatory and which ones are not. But now I wonder how that translates into the SoA. Example. We have a SaaS solution, so all information from customers is on very secure cloud systems from our suppliers. We don’t have very much information that is very exciting on Sharepoint servers. If the classification policy is not mandatory and if it’s not a risk coming out of risk analysis that we need to control, does this mean we can say No on A.8.2.1 and following controls, or can I say Yes and fill in the limited measures we have, like the secure data center and so on. How would you go about this? -
Physical and environmental security
If the organization has remote work for all employees, it does not have a physical environment and all processes are worked in the cloud, do these controls apply to the organization? A.11.2.1 Equipment siting and protection A.11.2.2 Supporting utilities A.11.2.3 Cabling security Thank you in advance. -
Secure Development Life Cycle
Another question. I think we know the answer, but just double check. Q2 – We produce hardware and software that sale to our customers. The software is based on licences. 2.1 - Do the ISO controls apply in any way to these products? I think not. That once they are acquired by the customer the responsibility in terms of ISO27001 falls under them. Am I right? 2.2. - Does the ISO indicate controls for SDLC (Secure Development Life Cycle?)? And for hardware? 2.3 - If we provide some sort of support service (maintenance, improvement, patching, etc), How does this affect us in term of the ISO? If we just intervene in the systems and leave without collecting any data, I guess that we have nothing to do for ISO, but if we collect some data (logs, record, etc) and store it in our systems then this data become our responsibility and thus is affected by the ISO. Is this assumption right? What controls would affect this logs/records/info? -
BC strategy and ISO 9001
How does BC strategy fits into an ISO 9001 certified company? What is the impact on QMS Supply chain CRISIS, sales, training and communication, etc, if you have or not BC strategy ? How should I convince my CEO on its importance/ (to my knowledge we don't have a documented BC Plan) Thank you for clarification and presenting this topic. -
Information in third party systems
Hello, First at all, thank you very much for your help. It is helping me to understand how to do things in a better and simpler way. Another question: Q1 – HR department has most of systems they use externalized with 3rd parties. These covers our official web site, personnel information, Payroll and other tools. The 3rd parties do the technical management, and our HR use the systems maintaining the information. My guess is that these systems aren’t assets we need to protect, because are out of our control, but the information belong to us. How should treat this case in terms of assets, risk assessments and controls? -
Implementation questions
I am currently researching on the topic of ISO 27001 as our number of institutional clients is increasing. I would be interested in some information regarding the standard so I would be very grateful if you could take some time to help me with the questions: 1. I looked at the phases of standards from Planning, Implementation, Verification and Further Improvements. I wonder how long on average full implementation and verification takes? 2. Where are and what are our potential financial costs? 3. At what stage would the Auditor come and is this something you could do for us? (Also, I'm interested in the fee for that) 4. Any PDF resource would be great, which could describe the whole process in more detail. So if you have something similar, please send it to me. 5. Since we are just starting to look at the standard, we do not have too much prior knowledge, so please add anything that you think is important and I failed to ask