Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Can we change the scope of ISO 27001
I have a little problem or a concept that I want to ask related to ISO 27001 scope and ISMS
let for example a new startup start and when they have 20 employee they will try to certify themselves and they got certified and they certified whole organization because they CEO think that it will help them in market as well in information security
and when they grow and when they have about for example 3000 employee they understand that they didn't need to certify every bit of area of organization with iso 27001 and they just want to change they scope from whole organization to only for those information about they employee and they customer so at the end they can able to do that or not????
i know a gave a example that we can't see in our real life but we can do that or not??
wait for you reply
hope you will understand what i want to say :) -
Needs and Expectations of Interested parties
Are needs and expectations same or different for one interest party? If different are the needs and expectations both the requirements for the interested party stated example client. Or in the case of the client the needs are what organization wants from the client and what expectations does the client have from the organization?
-
Information security policy in contracts
Does the information security policies have to explicitly be in the contract or is it enough if it’s in the employee handbook?
-
Feedback on Cloud Computing
What says ISO 27001 about deleting information on cloud computing?
-
Training on ITIL
by having my whole IT team trained on ITIl does it benefit getting 27001 compliance
-
Table Top Exercise /Drill Validity in meeting ISMS Certification
ur organization has achieved ISO27001:2013 certification for few years. All the while, we have conducted the Full Testing for our IT Dr drill. Recently, we switched to the Table Top or Plan Walkthrough for our drill. Would this meet the ISMS certification requirements during the surveillance audit? As far as my understanding of Annex A.17.1 of ISO 27001:2013, a performed test or drill is considered already fulfilling the requirements. -
How do I handle the risk of control?
1. How does one put in the risk/control of the asset?
I have read your website in terms of implementation isms for iso27001.
First I have classified my assets, label them, checked the risk of each.
Now how will this relate to the iso controls?
That I don't understand is that the iso has annex, controls and some questions (or advice)
Because... let me take an example of an annex
Ok, let's say employees are also an asset. So taking the annex 7.2.2
"Information security awareness, education and training"Objective
All employees of the organization and, where relevant, contractors shall receive appropriate awareness education and training and regular updates in organizational policies and procedures, as relevant for their job function.
Does this mean one just has to educate the workers and partners on policies and then he is compliant to this annex?2. I watched one of your videos about ISO27001, whereby the speaker gave a simple method of risk assessment table. So what impact is that table having on the iso requirement?
3. Assuming I have 10 assets but 3 are having a risk but 7 are okay.... which controls of the ISO27001 is this related to?
-
ISO 27001 implementation
bom dia, estou adequando a minha empresa na LGPD, e porem na LGPD, entra a ISO 27001 e estou com duvidas por onde eu começo. e quais informações preciso colher.
-
A.8.3 Media handling
I wonder about security controls in ISO 27001 A.8.3. Which one of them should also include paper as media? A.8.3.1 Management of removable media A.8.3.2 Disposal of media A.8.3.3 Physical media transfer