Please select user.Assign
There are no topics yet.
I have two separate cloud instances in AWS. One is shared among customers and one is dedicated to individual customers. I don't have all security controls enabled on the shared instance yet. When I go in for ISO Certification, can I exclude the shared instance from my scope and certify the dedicated environment only.
I am writing to find out the implications of using unlicensed product keys or incorrect licenses on ISO 27001.
I have come across cases where there are certain products such as XXX, XXX and XXX that are not correctly used. Product keys were acquired, but the licenses were not.
I am under the assumption that the control A.18.1.2 requires an organization to use the correct licenses. Would these issues have an impact on certification if they are uncovered within an audit?
looking more detailed at the A.9.4.3.
What is a Password Management System, is it just a set of rules, as described in Access Control Policy?
But then, should we describe for which systems do these Password rules apply, and for which not? Or should they be general?
I would like you to show me how configuration and vulnerability management are connected / dependent on each other. and How Configuration management can help in vulnerability management in achieving goals. Would appreciate early response. Thank you.
once the organizations context has been documented how we would use the information to determine the scope. How do I facilitate in such a way that get them thinking about our products and associated processes/activities in a way that exposes the BC risks.
Hi, i don't know how to start this list, i may need clear examples on how to fill this list. Maybe some examples in the document for each will be nice.
- Legal examples
- Regulatory examples
- Contractual examples
- Other requirements examples
I want to better understand as a software SaaS company how to leverage ISO 27001/ 9001- 90003 together with SDLC for agile development and build a support team with ITIL/ ISO 20000. Security and quality without stopping productivity.
Es claro que sobre los activos de información que corresponden al alcance del SGSI se debe definir el Plan de Tratamiento de Riegos. Se debería siempre considerar el SGSI como un activo de información en sí mismo? Y, por lo tanto se deberían identificar los riesgos asociados a su gestión). Por ejemplo: El Riesgo de no definir bien el alcance, el riego de no haber inventariados todos los activos pertinentes al alcance, el riesgo de no definir bien el SOA, el riesgo de no haber definido de manera integral y coherente el Plan de Tratamiento de Riesgos (RTP), etc. Es usual este enfoque? o esto excede al SGSI en si mismo? De antemano gracias por tu respuesta.
(It is clear that the information assets that correspond to the scope of the ISMS must define the Risk Treatment Plan. Should the ISMS always be viewed as an information asset in itself? And, therefore, the risks associated with its management should be identified). For example: The risk of not defining the scope well, the risk of not having inventoried all the relevant assets within the scope, the risk of not defining the SOA well, the risk of not having comprehensively and coherently defined the Treatment Plan for Risks (RTP), etc. Is this approach usual? or does this exceed the ISMS itself? Thank you in advance for your answer.)
I have a question regarding the policies and standards that will be customised. Is the template are mapped with NIST and CIS 20 requirements?
Please advise regarding the below
As a data processor , what is the legal basis of processing the data noting that we need to process the data to provide our services to the data controller and that consent is not obtained from our side and we don’t sign a contract with the data subject however we sign it with the data controller.