Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Psychology within the scope of risk treatment and analysis
Thanks for the update on the course. I have a project that is still in development and I was wondering if you had any information on the issue of psychology within the scope of risk treatment and analysis. If we're going to build the profile of a job that contains a risk at any level either within the task sequence or the individual assessment of the task, how do we determine the responsible strategy of analysis of the situation.
-
ISO 27001 certificate
1 - Can we take the ISO 27001 certificate with a master's degree in general management in organizational strategy and 4 months of experience as a business intelligence consultant?
2 - Can we work remotely as an aid in audit or iso 27000 implementation projects under these conditions?
-
ISMS Scope - remote working
1 - A question on ISMS scope and 3.3 Locations in your toolkit template. Due to covid we no longer have a physical office, it may be that we never return to having one as we mainly all worked remotely in any case. We have 6 people in our business, but 4 remote working locations. For the purposes of ISO27001, are those 4 remote working locations to be in scope for our ISMS? I think the answer is no because we are a SAAS company and your webinar on ISMS scope said that SAAS cloud companies did not need to look at HW or SW, just their data. 2 - However, what about operational controls to ensure information and data such as passwords are not left lying around? An imposter could in principle log on and get into our system. Would we need a tidy desk policy or something like that so that no paper passwords or client data/information is on note pads or left out. How would you actually enforce that with remote working? Perhaps a risk you chose to acknowledge but not do anything about as you can’t enforce a locked room in someone’s home. Not sure what other companies are doing on this point now that everyone is working from home. Should we be saying that employees log out when they go away from their computer? Should we be keeping a record of when an employee signs in and signs out of their device or applications on that device? We value our flexibility and don’t want to upset our culture by having a big brother approach to how we work and operate. -
Disposal of assets
What I am looking for is something that would help me draft law regarding disposal of assets
-
Documents and records
1 - A further point to the below on when a document can become a record.
This is the principle in the document change history section of documents, that I’ve been basing our document version control journey on:
V0.1, v0.2, v0.3, v0.4 = Drafts
V1.0 = Approved version based upon v0.4
V1.1, V1.2, V1.3 = Updates to the v1.0. Draft status.
V2.0 = Approved version based upon v1.3
V2.1, V2.2, V2.3, V2.4 = Drafts
V2.4 is reviewed and approved
V3.0 = New approved version.
I had thought that as soon as a document has approved status then it becomes a record. At that point the document which is now in the record log, is subject to the controls re assigning an owner that must check the content on a given review date to ensure that the information and data contained with the document is accurate, current and relevant.
From the advice you have given, I realise I have miss-understood what a record can be and also the control that applies to records. The above example of a document, from what you are saying, is not to be considered a record. However, the quality control still needs to take place to review all documents that have information and data in for their accuracy and relevance etc.?
2 - Records cannot be edited or amended and they have retention periods, whereas documents are only required up until the point that they are useful to the business. Therefore, all previous versions of documents can be archived or deleted. Is this a correct statement?
3 - A secondary point, is the above example of version control a good practice approach or am I leading our team down the wrong path?