Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Difference between strategies and solutions in ISO 22301
Can you help me in understanding what is the difference between strategies and solutions which are mentioned in BCMS ISO 22301:2019? -
Questions related to Controls
1. When doing the Access Control policy we found ourselves relatively short of content in the policy document (this has not appeared to be the case in all policies we’ve worked through). Are you able to give us any guidance on where we could find resources with more prescriptive control examples, than are found in the ISO 27002 standard? The challenge we seem to have is the policies are not all encompassing in terms of coverage of the controls, and when we turn to the controls in the standard, the controls appear quite vague in some cases. Is there somewhere a next level down of control examples? Any comments / insights you can offer around this would be appreciated.
2. Is there anything at all stopping us from incorporating the controls found in CSA CCM into our documentation suite? Many map to ISO controls, but in some cases appear to be more specific.
If we were doing this, do you have any suggestions or comments we should keep in mind when approaching this?
-
System Acquisition Development and Maintenance
Regarding 27001 Toolkit\08_Annex_A_Security_Controls\A.14_System_Acquisition_Development_and_Maintenance:
We do not do any software development. Is it safe to say that we do not need to complete this Policy and Appendix on Specification o Requirements? If so, do we note this elsewhere in the documentation?
-
Disaster recovery ISO 27031
We are starting out to begin our ISO process and we have chosen to begin with disaster recovery ISO27031 - what information/guidance can you share or recommend at this stage of our process.
-
List of most common business-critical information assets
I am particularly trying to get some help with a list of most common business-critical information assets. Not the hardware and software assets.
-
Information security career
Thank you for your lectures on ISO 27001,
Sir I am a certified LA in ISO 9001 2015 and certified ISO 14001 and 45001 Auditor, B.sc, MBA
in short, I don't have any experience in ISMS, but I want to pursue my career in ISMS, is it the right thing to do knowing that I don't have any IT background, and if yes how should I start ...
what other skills should I learn to make a good international career out of ISMS...
-
How to calculate RTO and RPO
How to calculate RTO and RPO?
-
Questions about ISO 27001 implementation
We have purchased the ISO27k toolkit last year (I believe the toolkit with extended support) and started the implementation.
At this point, we are finalizing the risk assessment and starting the SoA. I now have a few questions. Please direct me to the right person if you are not the appropriate recipient.
My questions so far:
1 - It’s not yet clear to me what we must do exactly if a risk from the treatment table is not acceptable and requires some implementations.
What is the accepted time frame for risks mitigation?
For an unacceptable risk which requires new controls for treatment, what if we plan the implementation – say – 1 or 2 years later?
Is it allowed by the standard and/or auditor?
Will it be visible in SoA’s residual risks?
In other words, does it have to be addressed before the next assessment, or the next audit, or freely?2 - If the risks must be absolutely mitigated “quickly” when not accepted, then we may need to relax the acceptance criteria to encompass them. Can we say:
Based on a yearly budget, state that i.e. high risks can be accepted only if there is no room left for the implementations in the running assessment… (or financial year… somehow)
The risk mitigation may therefore be postponed to the next assessment (hopefully not indefinitely..) or “whenever possible”
Would that kind of acceptance criteria fit with the standards and pose no issue with auditors?
I suppose that such accepted risks will again appear in the SoA (but it makes sense)3 - Concerning the risk assessment:
Will our estimations of impact or likelihood be strongly challenged by the auditor? (sometimes there is room for debate..)
Do we have to prepare evidence for each asset assessment or risk, to assist in the verification?
Clearly, doing so, in advance, and for many risks/assets is not feasible for us
I guess the focus will be on the SoA instead and how the controls are implemented? (or to explain why they are not) -
ISO 27000 and ISO 31000
Which standard of ISO 27000 group or ISO 31000 determine owner of information assets as owner of the information risk? And the informational risk as a operational risk.
-
ISO 27001 certification for a group of companies
Hello, we would like to certify our company ISO 27001. Since our organization is made up of a mother (holding company) and several subsidiaries, our question is whether certification is possible for all companies at once and what is the procedure. As soon as this question has been clarified, we will tackle the preparation with the help of your template. Thanks for your help in advance.