Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
SAMA and ISO 27K: common control
can i understand the common control between SAMA and ISO 27K
-
A.11 Domain Requirements List
Please i want to know the specific requirements to achieve the A.11 domain of ISO27001 certification. My organization is considering becoming ISO certified
-
Controls for Stage 2 audit
Hi, do I need to have implemented and be able to evidence all of the controls identified in the SoA for the Stage 2 audit or can I state which ones are fully live and which are still in progress.
-
Annex 12-4
Please sir in the toolkit of ISO 27001 under the Annex 12-6 there is a table for the level of logging by device type. Please can you throw more light on this form me?
-
ISMS system
Thanks, Dejan. This is useful. Usually, most companies would have their best people in front of the customers. Sadly when it comes to implementation they are not around and the entire activity is left to inexperienced folks who usually go by the book.
1. What isms documents do the auditors look at? Or to say which document is critical to iso certificationWe have put in place an isms system. We are yet to perform a gap assessment to evaluate how far we have progressed in the journey. To me, this is the time ( prior to gap assessment and then certification) to assess how much of what we have written is applicable i.e of relevance in context to changing business requirements, to organization appetite for investment, and then amend the isms to appear more practical.
Does the above mentioned is relevant?
2. What isms documents do the auditors look at? Or to say which document is critical to iso certification
-
ISO 27001 certification
How can I get certified within 3 months?
-
Scope of BCMS
How to define the scope of BCMS and start implementing. Do I have to include all the functions in the Organisation to go for ISO 22301 certification?
-
PDCA definition
How can I define the activity in each PDCA and the time for each one? What is the activity example to start the project? If you can give me an answer for both ISMS implementation and Risk treatment plan, that would be great.
-
ISO 27001 implementation
1.Do I need to list individual software licenses in the risk assessment or can they be put into broader categories? I’m thinking ahead to an eventual audit and what an auditor might want to see to show that we are taking everything into account.
i.e.
Software tools that may contain PII and/or confidential information
Software tools that do not contain PII and/or confidential informationAnd do they need to be separated by whether they are run on premises only or in the cloud?
Or, do I need to put:
Salesforce.com
Microsoft Office,
etc and list all threats/vulnerabilities of each? We have a list of all software tools that contain PII for GDPR already in the Appendix – Inventory of Processing Activities.2. Is there an easy way to know which controls would apply for each vulnerability? I.e. a mapping to the vulnerabilities that are pre-populated in the Risk Assessment? I think that each vulnerability listed probably has a specific control so having a mapping would save a lot of time vs trying to match them one by one.
3. When creating the risk assessment using the Asset-Threat Vulnerability method and assigning a Likelihood do we take into account the current state of that risk given our already implemented (pre-ISO27001) controls? i.e. if we have multi-factor authentication the risk of access to our email system is lower, therefore would we put a lower number for likelihood? I assume this is the case, but am not clear.
4. Do you suggest using the OCTAVE Allegro worksheets (or something similar) for polling the risk owners while creating the Risk Assessment, or is there a questionnaire available that can be sent to them with specific questions that I am missing?
-
MANAGING RECORDS KEPT ON THE BASIS OF THIS DOCUMENT
A number of your documents have a section called 'MANAGING RECORDS KEPT ON THE BASIS OF THIS DOCUMENT'. Is this absolutely necessary or can we delete this section?