Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Implementation of the function segregation matrix in a small company
(I need a help/tip, what is the best way to formalize a matrix of function segregation, in a small company.
-
Implementação da matriz de segregação de funções em um empresa com 130 funcionarios
Preciso de uma ajuda/dica, de qual a melhor maneira de conseguir formalizar uma matrizes de segregação de função, num empresa pequena.
-
Considering ISO 28000 for outsourcing hosting of their software products
One of my 27001 clients is asking about whether they need to consider ISO 28000 as they outsource the hosting of their software products.
Do you have any guidance on this?
-
Clarity on the certifying body and the cost for it
Is there any specific value to the certifying body as there are many academy which are providing this certification. Does the certificate from a not-so-popular has any weight in the market?
-
Difference between BCMS and Risk Management System
¿En que se diferencia un SGCN de un Sistema de Gestión de Riesgos?
-
Gantt chart as a project plan for the ISO 27001 project
We're trying to build a Gantt chart as a project plan for the ISO27001 project, and we're looking to see if you have any of the steps documented beyond filling the docs themselves. e.g., folders 04, and 05 will require training users, missing controls under folder 14 will need to be built, tested, and deployed, such as enforcing BitLocker. Folder 13 seems to address some of this based on mitigating risk from the risk assessment. Still, we're hoping this is already in a project doc with the assumption we have 0% complete, and we can pull out what's unnecessary or already implemented. -
Annex SL 27001 or annex A 27001
For network security, it is better to apply annex SL 27001 or annex A 27001
-
ISO27001& ISO22301, GDPR and PCI-DSS
1 - Is it possible to have all in one? It is for my client who want to implement them since he has client who request to implement them all.
2 - How much will cost for implementation with documents
3 - is it possible to do it via Zoom or Webex for implementation?
-
Defining the Scope
I would like to start off with a scope that includes the information stored in our datacenters.
But, when I look at the ISO 27001 standard, it states quite clearly that;When determining the scope, the organization shall consider;
a) the external and internal issues referred to 4.1 (Understanding the organization and its context)
b) the requirements referred to in 4.2 (Understanding the needs and expectations of interested parties)
c) interfaces and dependencies between activities performed by the organization and those that are performed by other organizations.I refer in particular to point c). We use 3rd party suppliers, some of whom process our client data (which is stored in our datacenter), and I was wondering that if I only include the information that is stored in our datacenter in the scope, and if I don’t include 3rd parties in the scope, will the ISMS fail the audit. Or is it simply enough to say that we have controls and polices in place around the data that is stored in our data center and these controls pertain to 3rd parties and who process some of that data that resides in our datacenter.
-
Confidentiality, Integrity, and Availability
When developing Risk Assessment, the CIA must consider. If we use asset-based, CIA refers to the asset, right? But if we use risk or process based, the CIA will refer to what?