Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk Assessment Method
Can I use the CIS RAM as my Risk Assessment Method for implementing the ISO 27001:2013? I feel very comfortable using that method but need to know if it is appropriate to use it with the ISO 27001. Or the best scenario is to use the ISO 27005:2018?
-
Customer management
Me gustaría saber por qué en ISO 27001 hay una “Gestión de Proveedores” y no hay una “Gestión de Clientes” ?
De que manera debo alinear o asegurar a mis clientes dentro de mi implementación de ISO 27001?
-
Data retention
It would be great if you could tell me if ISO27001 or other standards require companies to remove customer data after the contract is finished. Actually I don’t mean personal information, mostly data which data analytics use for the machine learning, model training and so on. I am looking for B2B businesses data retention requirements.
-
ISO 27001 and ISO 20000 certification
Our company is looking at getting ISO 27001 and ISO 20000 certification. Do you think this is necessary? Or which one will suffice to cover both certifications
-
Information security objectives
I have this example on my Information security policy, but I think this objetive it is not S.M.A.R.T., please tell me, am I wrong?
objective:"Define and establish the general guidelines of information security in the company, which will guide the personal and professional behavior of all employees and third parties who interact regularly or occasionally with the information and information assets associated with it in the development of their functions."
Thank you for your help.
-
Model of safety dashboard
In fact, I am looking for a model of safety dashboard; you don't have a kit for the implementation of the dashboard with performance indicators?
-
Mandatory Documents
HI, A question about mandatory documents please..... Mandatory documents based on the main body of the standard's clauses as well as Annex A are listed on https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ The documents relating to the main clauses are fine. But.... If you only accept a control because there's a risk identified that makes it applicable to the business doesn't that mean that one or more of he mandatory documents from Annex A won't get created? Or is it that the controls where mandatory documents are included are expected to be adopted by everyone (i.e. there will be risks that require those controls). -
Approaches to meet ISO 27001 requirements
What is the best approach for a five persons, 25 person, and a 100 person organization to proceed to meet the requirements and become mature in the processes of the ISMS?
-
Risk assessment question
I do have a follow up question. You explained if a risk assessment requires better security from a provider or vendor, we can influence that vendor or choose a better one.
But if that vendor was left outside of the scope, would they still be part of the risk assessment? Would it still come up?
My concern would be that if we depend on a vendor to provide a secure service, but it's not in our control so we leave it out of our scope, how would we consider and manage it? Sounds like a loophole.
I suppose we shouldn't want to leave a vital process outside of our control to begin with, but am still wondering if there could be a loophole there... I get why a scope has to be chosen early, but if the risk assessment comes after the scope, it just seems to me that a vital asset or vulnerability could be left out of consideration. Which would mean a different risk management framework would be needed apart from ISO 27001?
I might be going down the rabbit hole here. I really appreciated the webinar and guidance so far! It has helped me out a lot so far.