Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk Assessment
Looking for your expert opinion.
Background:My ISMS scope consist of 3 scopes :1) Data Center 2) Portal Maintenance & 3) A critical business process e.g: driving license application
Question: Can I use asset based risk assessment or should I use process based risk assessment? Appreciate your expert view. -
Implementation of ISMS
I am very much familiar with ISO 27001 and other frameworks like NIST etc. I was conducting always security assessments only. This is the first time i am into ISO 27001 implementation project. my question is
1 - How and where to start in project for ISMS implementation.
2 - Do you have any knowledge base which talks about step by step ISO 27001 implementation state. This project involves many stakeholders like application security , database track etc. So how to manager those team, as i am alone from GRC team. I have to ensure entire service tracks are aligned with ISO 27001 requirements. So please provide your valuable inputs.
-
Risk Management and "Asset value" & Asset Criticality
In your booklet "Step-by-step explanation of ISO 27001/ISO 27005 risk management", you use a risk calculation where "asset value" is part of the formula. My questions are: 1) Does ISO 27001/27005 requires the Risk Management process to use asset value as part of calculating the risk assessment level. 2) Does the standard require asset valuation as part of the Risk Management process? Or can be seen as an input, rather than a direct output of the process. That is to say, asset value is important to me as Risk Manager, but I need that input from the organization. It is not my responsibility to produce it as part of the RM process 3) What is the relationship between asset value and criticality assessment (like FIPS 199/200)? Again, I see asset criticality assessment as an input to RM, alas, not something that I am responsible for as part of the RM process. 4) Finally, have you written a solid book (like the one on 22301) that explain in details how 27005 should be applied section for section? -
Inquiry about Gap Analysis
I have been following your studies and materials about ISO27001 implementation on your website. You stated on your website at https://advisera.com/27001academy/knowledgebase/iso-27001-gap-analysis-vs-risk-assessment/ that Gap analysis is done only for Annex “A” controls and that, one DOES NOT need to perform gap analysis for clauses of the main part of the standard. I believe you are referring to the mandatory management clauses from clause 4 to 10. ( Please find attached screenshot)
Now, my confusion is coming from the ISO 27001 Gap Analysis tool you provided on your website at https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool/?icn=free-gap-analysis-tool-27001&ici=bottom-iso-27001-gap-analysis-tool-txt. In this Gap Analysis tool, you included the mandatory management clauses (i.e. clause 4 to 10) as part of the Gap Analysis checklist when you stated previously that Gap analysis is not performed for the mandatory management clauses.
Can you please explain why?
-
Underscores in a file name
One point that wasn’t answered is regarding underscores in a file name.
In terms of best practice and your opinion, given that all the document templates in your toolkit have underscores is this something you recommend? What is the reason for having underscores in the file name?
-
Update SoA
I'd like to update my SoA due to covid-19 where 90% of user are working remote ?
Can you help on that ? -
Short way to get certified as ISO 27001 and 27002
I want to know the short way to get certified as ISO 27001 and 27002