Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Encryption Use Policy
I acquired the cryptography usage policy, however I found it very simple. Please, do you have additional material on the subject?
-
ISMS Controls
1 - I would like to know more about the Controls, are there any categories for controls ??
2 - Important controls / not so important controls ??
-
Business abiding by ISO 27001 when using BYOD policy
How would a business abide by ISO 27001 when using a BYOD policy?
-
Electronic File/Folder structure SOP
My organization is looking to create an SOP on how to create a folders/file structure (electronic). We have lots of documents and everybody organizes their files/folders in their own way and it is a disaster... Does ISO 27001 addresses that issue? -
Internal Auditor from outside
Hello Advisera,
we've hired our internal auditor from outside, and we will receive Audit Report from him.
Do we still have to write the Internal audit Procedure and program, or is it normally what the Internal auditor should provide us in this case?
Thank you!
-
Questions for ISO 27001 & 22301 List of Mandatory Documents
- No 1. Document Code 00, Procedure for Documentation and Record Control. Should this be marked as Mandatory for 27001?
- No 3. Document Code 02, Procedure for Identification of Requirements. Should this be marked as Mandatory? I noticed No. 4, Appendix 1 is checked as Mandatory. Shouldn’t this be part of the Procedure for Identification of Requirement?
- No. 27. Document Code A.12.2, Change Management. Should this be marked as Mandatory?
- No. 32. Document Code A.15.1, Supplier Security Policy. Should this be marked as Mandatory? I noticed No.33, Security Clauses for Suppliers and Partners is checked as Mandatory. Shouldn’t this be part of the Supplier Security Policy?
- No. 34. Document Code A.16, Incident Management Procedure, Under the Relevant Clauses in the Standard, one of the controls display as A.6.1.2, should this be A.16.1.2?
- No. 57. Document Code 10, Internal Audit Procedure. Should this be marked as Mandatory? I noticed No. 58, Appendix 1 is checked as Mandatory. Shouldn’t this be part of the Internal Audit Procedure?
- No. 63. Document Code 12, Procedure for Corrective Action. Should this be marked as Mandatory? I noticed No. 64, Appendix 1 is checked as Mandatory. Shouldn’t this be part of the Procedure for Correction Action?
-
DRP aplicabilidade
Um cliente vai ter uma auditoria de certificação ISO 27001 em julho e o plano de drp já está contratado para entrega em dezembro com contrato assinado. Porém sabemos que em julho não haverá evidências do teste de drp e apenas o projeto comprado com a evolução. Ele quer saber se isso daria uma não conformidade maior inviabilizando a recomendação da certificação. A empresa em questão tem 2 servidores em 2 cidades. Porém, os sistemas NÃO são complementares. Um não suportaria o outro em caso de um desastre. Foi contratado então, a solução de DRP, para aumentar a capacidade do equipamento menor para suprir em caso de interrupção do servidor maior. Já possuem o procedimento de backup, porém, na situação atual, a empresa não conseguira estar operando todos os sistemas em caso de desastre. O projeto contratado estará operacional em Dezembro, mas a auditoria será em Julho agora. A preocupação, é que o DRP está declarado no documento de aplicabilidade, e em julho, não teremos ainda a evidência principal de teste realizado mostrando que o DRP está funcionando. Somente em Dezembro, conforme prometido. A dúvida é se isso será considerado uma NC MAIOR por falta da evidência prática do teste de DRP, ou se seria uma NC MENOR, por mostrar que a situação está contratada para resolver em Dezembro. -
DRP applicability
A customer will have an ISO 27001 certification audit in July and the drp plan is already contracted for delivery in December with a signed contract. However, we know that in July there will be no evidence of the drp test, only the project purchased with the evolution. He wants to know if this would lead to a major non-compliance, making the certification recommendation unfeasible.
The company in question has 2 servers in 2 cities. However, the systems are NOT complementary. One would not support the other in the event of a disaster. The DRP solution was then contracted to increase the capacity of the smaller equipment to supply in case of interruption of the larger server. They already have the backup procedure, however, in the current situation, the company was not able to be operating all systems in the event of a disaster. The contracted project will be operational in December, but the audit will be in July now. The concern is that the DRP is stated in the applicability document, and in July, we will not yet have the main evidence of a test carried out showing that the DRP is working. Only in December, as promised. The question is whether this will be considered a Major NC for lack of practical evidence of the DRP test, or if it would be a minor NC, for showing that the situation is contracted to resolve in December.
-
What does the graphic/pic represent?
What does the graphic/pic represent in this article https://advisera.com/27001academy/blog/2015/02/16/change-thinking-can-stop-59-security-incidents/
-
VDA ISA Certificate
HI, I would like to know if the VDA ISA Certificate overlaps with the ISO27001 and if we can use another template and implement all the controls needed for the VDA ISA, but using your own templates for the ISO 27001. That would mean that when we do the risk assessment we will take into consideration the Excel table from the link above and later implement controls for the ISO27001 on that basis. Would that be enough to have a maturity level of 3 or 4 if everything is implemented and works? Any advice on implementing ISO27001 and VDA ISA in parallel is greatly appreciated and if you have materials that would be useful or even document kits that we can buy, we would appreciate it. Thank you.