Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Impact details for each ISO 27001 control
I want impact details for each iso 27001 control
I need impact details for all iso 27001 114 controls if not implemented -
No data security clause in existing employee and commercial contracts - should we send an addendum to all contracts?
I have assumed that it is recommended to have a clause referencing data security in employee and commercial contracts with suppliers and clients.
We therefore have an action to create a new standard contract for employees, suppliers and clients to include the new data security requirement.
However, my question is, what is the recommended approach for existing employees, suppliers and clients who’s contracts do not include the necessary data security clause. Should we be sending an addendum to the contracts? Is it recommended that we do this as part of our ‘treatment’ action on the data security risk that employees, suppliers and clients alike pose to our business.
-
Identifying the changes in ISO 27001 scope
My organization is certified for ISO 27001:2013.
We are planning to shift some of the on-prim applications to cloud (public cloud with virtual private cloud).
I request your help in identifying the changes in ISO 27001 scope.
What clauses and controls, I need to check at "on-prim" as well as "cloud"? -
Assets Inventory and Risk Assessment
We are now making Assets Inventory and Risk Assessment.
We’ve listed now about 100 Assets, 33 of them are cloud services.
I have a couple of questions:
1. Some of the cloud services we are using are already ISO 27001 certified (like AWS, e.g., or some service hosted in AWS). Does that have any meaning for us?
2. Do we still have to consider Risks for that cloud services as well?
3. Could we group the Assets so that they become more manageable? E.g. one group: Cloud services, and perform the Risk Assessment for this group, or divide it to SaaS and IaaS groups.
4. Who should be the Asset Owner of Operating System – the user? And the Risk Owner is the System Administrator?
-
What should I request from the client to do a DR Plan?
Just a quick one, what should I request from the client to do a DR Plan?
I can only think of the the following ;
NDA
Network Diagram
Configurations
Processes
policies(Backup, regulatory)
BCP
I am currently working with a bank who wants a DR Plan -
ISO 27000 Lead Auditor
I had some questions regarding securing the certification:
1.Is it necessary or recommended to have a foundation certification to be secured prior to the lead auditor certification?
2. I am a Quality Manager with relevant 8 years of experience and I intend to switch to core GRC roles. Will this certification benefit to clear CISA as my future certification aspirations?
3. Any other tips if you think might help me scale up would be appreciated.
-
Risk Assessment
Looking for your expert opinion.
Background:My ISMS scope consist of 3 scopes :1) Data Center 2) Portal Maintenance & 3) A critical business process e.g: driving license application
Question: Can I use asset based risk assessment or should I use process based risk assessment? Appreciate your expert view. -
Implementation of ISMS
I am very much familiar with ISO 27001 and other frameworks like NIST etc. I was conducting always security assessments only. This is the first time i am into ISO 27001 implementation project. my question is
1 - How and where to start in project for ISMS implementation.
2 - Do you have any knowledge base which talks about step by step ISO 27001 implementation state. This project involves many stakeholders like application security , database track etc. So how to manager those team, as i am alone from GRC team. I have to ensure entire service tracks are aligned with ISO 27001 requirements. So please provide your valuable inputs.