Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Annex A controls
We are starting the certification process, but the controls are mostly not very clear, and sometimes, in my opinion, redundant. Do you have any material that explains in a technical way, or exemplified, each of the controls mentioned in annex A? -
Annex A controls
Estamos iniciando o processo de certificação, porem os controles em sua maioria, não são muito claros, e as vezes, em minha opiniao, redundantes. Voce possui algum material que explique de forma tecnica, ou exemplificada, de cada um dos controles citados no anexo A?
-
ISO 27017
I am working with a client who wants to be ISO 27017 compliant.
They've asked if there's anyway they can be certified, considering they're already ISO 27001 certified. I've been researching the topic for a while and i've only seen this type of compliance statement being given to Cloud service providers.
I wanted to ask if you have seen this attestation being requested and given to any company that is only a cloud consumer.Thank you in advance for your attention!
-
ISMS question about scope
I have got a question regarding the ISMS scope. Do we have to include a Location in the scope if we primarily work as a virtual team?
-
Scope confirmation
I´m taking your ISO 27001 course. Very impressive.
As far as I understood... the ISMS applies in services/departments not in a final product.
Can you give me an opinion about the scope below?
"The management of information security in the provision of all products and services at all locations, within all business units of xxx Corporation"
The xxx company is a very small-sized company with just 08 employees.
-
Information classification and labeling
I have asked for documentation to review if they have the correct label of confidential or restricted, the documentation sent did not have any labeling and I put an observation there, but the audited answered me this:
"Information requested for audit is defined as confidential by principles and definition. it can't be used to mark as evidence related to information classification and labeling. The correct evidence is if the auditor find evidence of restricted and confidential information is shared between the scope without correct labeling."
Is this correct? I took it as a non conformity because the record and reports did not have the apropriate labeling.
-
Benefits of asset-based approach
I am looking at this article right now:
https://advisera.com/27001academy/blog/2016/04/04/iso-31010-what-to-use-instead-of-the-asset-based-approach-for-iso-27001-risk-identificationAnd I didn't understand what the benefits of an event based approach are instead of an asset-based approach...
-
Finding an auditor
I have been taking a look at your offering, attended yesterday’s Webinar and will attend more and for now it feels like your offering could very much fit our requirements.
We are likely one of those ‘could do it almost by ourselves – but need help with some items’ companies.
Me personally have not rolled 27001 yet but used to work with controls, procedures, policies, etc.
The biggest question mark for me right now is how to find an auditor that could fit in this approach. Do you have any recommendations on that?
-
Recommendations for the registrar
I was checking to see if you had recommendations for the registrar that would be auditing our company should we pursue the ISO 27001 certification. Thank you.
-
Calculating ROI for ISO 27001 ISMS implementation program
How the best way to calculate the ROI for a ISO27001 ISMS implementation program?