Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk Assessment Table
I would like to find out from you how to treat the quality of work that an organization produces during its operations. Should this be considered when preparing the Risk Assessment?
For example,
Appendix 1 - Risk Assessment Table
-
Statement of Applicability
I hope you don’t mind me contacting you. I bought two of your books through my work.
I have a question about the Statement of Applicability and I was hoping to get your opinion.
1 - My understanding of the SOA is that it lists the 114 controls of Annex A. An organization should select the controls that are ‘applicable’ to safeguard the assets that are in the scope of the organization's ISMS. Is this correct?
There is something I do not understand. The above makes sense if the SOA only applies to 1 asset (for example, a single business system). In this example, 112 out of 114 controls might be applicable. But what happens when you add more and more assets? The 2 controls that are not applicable for the first asset might be applicable for the other assets – eventually, you just end up saying that all 114 controls are applicable and therefore the SOA does not really have much value at this point?
2 - My other question is around risk assessments. If all 114 controls are applicable for a system, does that mean our risk assessment has to cover all 114 controls? Or would a better way be to do a ‘compliance assessment’ to verify which of the 114 controls are applicable and which of those controls are implemented and working effectively and then document the risks based on the control gaps?
-
Assessment/Treatment Methodology
I would now have the question on the Risk Assessment / Treatment Methodology: what exactly must be included in the" list of legal, regulatory and contractual or other requirements "or what is the recommendation?
-
ISO 22301 Accreditation
Considering I have extensive experience in DR/BC and meet the professional and project experience, can I take the PECB Certified ISO 22301 Lead Implementer exam after self-study (or third party training), without prior PECB only class.
-
Difference between the three terms
At work we understand that the Information Security scope includes all sources media, paper, verbal, and digital media, and Information Security establishes controls.
IT security is the installation of anti-viruses, updates and their administration. IT security is perform by IT specialists of IT team
Who are Cyber security? in the book you say it synonymous with IS,
IS = CyberSec or CyberSec = ITsec?
-
Minimum required distance between a primary and secondary data center
What is the minimum required distance between a primary and secondary data center? -
Meaning of "E" in ISO 27001:2013(E)
What "E" means in iso27001:2013(E)?
-
ISO27001 Documentation and Accreditation - Thank you!
I received notification from my Auditor today that we have achieved accreditation with 0 non-conformities and in 6 months from commencement. I had never tackled this type of thing before I would like to say that I don't believe this would have been acheived had I not purchased your documentation and training videos along with this discussion site. I thank you very much for your support and material, it proved invaluable to me.
My next challenge will be ISO9001 and I will not hesitate to purchase your documentation again for this standard.