Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
CISO
¿La norma exige que se tenga dentro de la empresa un CISO (Responsable de Seguridad de la Información)?
¿Puedo tercerizar un CISO?
Sobre el plan de capacitación, ¿siempre es necesario presentar algún certificado para evidenciar un curso de capacitación?
¿Cómo evidenciar los cursos gratuitos donde no se tiene un certificado?
¿Los objetivos de Seguridad de información se pueden cambiar en cambiar en cualquier momento o se debe esperar un periodo de medición?
¿Si se cambia un objetivo de seguridad, un auditor me puede pedir la medición del antiguo objetivo? -
27001/2:2013 framework for Information Assets of OT/ICS
I am working with leading oil and gas Company ***. I saw you several webinars on online video portals. I appreciate your clear understanding about the ISMS through ISO 27001/2: 2013 framework.
I want to know your opinion whether the 27001/2: 2013 framework is applicable for Information Assets of OT/ICS (Operation Technology/Industrial Control Systems) such as SCADA, DCS etc..
Your reply in this regard may be valuable to us for protection of our Information Assets of OT/ICS.
-
AWS
I have two separate cloud instances in AWS. One is shared among customers and one is dedicated to individual customers. I don't have all security controls enabled on the shared instance yet. When I go in for ISO Certification, can I exclude the shared instance from my scope and certify the dedicated environment only.
-
Incorrect use of product keys
I am writing to find out the implications of using unlicensed product keys or incorrect licenses on ISO 27001.
I have come across cases where there are certain products such as XXX, XXX and XXX that are not correctly used. Product keys were acquired, but the licenses were not.
I am under the assumption that the control A.18.1.2 requires an organization to use the correct licenses. Would these issues have an impact on certification if they are uncovered within an audit?
-
A.9.4.3 Password Management System
Hello Advisera, looking more detailed at the A.9.4.3. What is a Password Management System, is it just a set of rules, as described in Access Control Policy? But then, should we describe for which systems do these Password rules apply, and for which not? Or should they be general? Thank you! -
Configuration and Vulnerability Management
I would like you to show me how configuration and vulnerability management are connected / dependent on each other. and How Configuration management can help in vulnerability management in achieving goals. Would appreciate early response. Thank you.
-
Determining scope
once the organizations context has been documented how we would use the information to determine the scope. How do I facilitate in such a way that get them thinking about our products and associated processes/activities in a way that exposes the BC risks.
-
Appendix 1 – List of Legal, Regulatory, Contractual and Other Requirements
Hi, i don't know how to start this list, i may need clear examples on how to fill this list. Maybe some examples in the document for each will be nice. - Legal examples - Regulatory examples - Contractual examples - Other requirements examples -
Software SaaS company
I want to better understand as a software SaaS company how to leverage ISO 27001/ 9001- 90003 together with SDLC for agile development and build a support team with ITIL/ ISO 20000. Security and quality without stopping productivity.
-
Risk treatment plan
Es claro que sobre los activos de información que corresponden al alcance del SGSI se debe definir el Plan de Tratamiento de Riegos. Se debería siempre considerar el SGSI como un activo de información en sí mismo? Y, por lo tanto se deberían identificar los riesgos asociados a su gestión). Por ejemplo: El Riesgo de no definir bien el alcance, el riego de no haber inventariados todos los activos pertinentes al alcance, el riesgo de no definir bien el SOA, el riesgo de no haber definido de manera integral y coherente el Plan de Tratamiento de Riesgos (RTP), etc. Es usual este enfoque? o esto excede al SGSI en si mismo? De antemano gracias por tu respuesta.
(It is clear that the information assets that correspond to the scope of the ISMS must define the Risk Treatment Plan. Should the ISMS always be viewed as an information asset in itself? And, therefore, the risks associated with its management should be identified). For example: The risk of not defining the scope well, the risk of not having inventoried all the relevant assets within the scope, the risk of not defining the SOA well, the risk of not having comprehensively and coherently defined the Treatment Plan for Risks (RTP), etc. Is this approach usual? or does this exceed the ISMS itself? Thank you in advance for your answer.)