Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 and ISO 20000 certification
Our company is looking at getting ISO 27001 and ISO 20000 certification. Do you think this is necessary? Or which one will suffice to cover both certifications
-
Information security objectives
I have this example on my Information security policy, but I think this objetive it is not S.M.A.R.T., please tell me, am I wrong?
objective:"Define and establish the general guidelines of information security in the company, which will guide the personal and professional behavior of all employees and third parties who interact regularly or occasionally with the information and information assets associated with it in the development of their functions."
Thank you for your help.
-
Model of safety dashboard
In fact, I am looking for a model of safety dashboard; you don't have a kit for the implementation of the dashboard with performance indicators?
-
Mandatory Documents
HI, A question about mandatory documents please..... Mandatory documents based on the main body of the standard's clauses as well as Annex A are listed on https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ The documents relating to the main clauses are fine. But.... If you only accept a control because there's a risk identified that makes it applicable to the business doesn't that mean that one or more of he mandatory documents from Annex A won't get created? Or is it that the controls where mandatory documents are included are expected to be adopted by everyone (i.e. there will be risks that require those controls). -
Approaches to meet ISO 27001 requirements
What is the best approach for a five persons, 25 person, and a 100 person organization to proceed to meet the requirements and become mature in the processes of the ISMS?
-
Risk assessment question
I do have a follow up question. You explained if a risk assessment requires better security from a provider or vendor, we can influence that vendor or choose a better one.
But if that vendor was left outside of the scope, would they still be part of the risk assessment? Would it still come up?
My concern would be that if we depend on a vendor to provide a secure service, but it's not in our control so we leave it out of our scope, how would we consider and manage it? Sounds like a loophole.
I suppose we shouldn't want to leave a vital process outside of our control to begin with, but am still wondering if there could be a loophole there... I get why a scope has to be chosen early, but if the risk assessment comes after the scope, it just seems to me that a vital asset or vulnerability could be left out of consideration. Which would mean a different risk management framework would be needed apart from ISO 27001?
I might be going down the rabbit hole here. I really appreciated the webinar and guidance so far! It has helped me out a lot so far.
-
Ratio of successful cyber attacks on organisations who are ISO 27001 certified
Are there statistics available which indicates the ratio of successful cyber attacks on organisations who are ISO 27001 certified against those who are not ISO 27001 certified?
-
Appendix 3 of Risk Assessment
I hope you have time to just fill in the blanks here, we did a risk assessment on mobile devices specific, we were 4 people from different departments initiating this workshop to identify the risks for mobile devices.
I get the feeling the assessment report is made for all of the assessments we are doing or like in our case we do it on several type of areas, like mobile devices.
We identified four risks, we had 1 with the value 3 but we still accepted that risk and no other change was made in the appendix 2, in other words, we did not lower the risk value in this case.
And to complete this risk we need to document this in 3 different files, Appendix 1, 2 and 3 (final report).
Can you help me figure out this last part?
-
ISO 27001 conformity
Can you inform, whether authorities like third party approval authorities, market surveillance authorities and technical services are required to show conformity to 27001?