Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO/IEC ISMS 27001 Annex A
In relation to ISO/IEC ISMS 27001 Annex A objectives and controls about leadership and as one example; Appropriate contacts with relevant authorities shall be maintained in the business; Our business has an organization chart, but the chart shows reporting lines by job functions. If you could please share a template examples for a business organization chart that demonstrates top-down organization structure incorporating: Company Management, Corporate GRC [Governance, Risk, and Compliance], IT GRC, IT Management and Business. Our organization is in the certification process. We need the business organization chart to support Information Security, ISO/IEC ISMS 27001 Certification.
-
Query on Annex A Controls - IS027001
The company I work for is working towards attaining ISO27001 certification this year and I am part of the project team embarking on this.
I am working through Risk Management at the moment, having completed Risk Identification & Assessment, I am looking at treatment now.
I am specifically looking at the Application & Databases Information Assets. I note the risk of Inadequate Maintenance, however, I cannot find a control specific to Software/Application Maintenance.
My thought train is towards version releases, upgrades, database maintenance plans, data checks, etc. The nearest controls I have noted are
A.11.2.4 Equipment Maintenance
A.12.5.1 Installation of Software on Operational Systems
A.14.1.1 Information Security requirements analysis and specification, A.13.1.2 Security of Network Services
Is there a specific one for Software Maintenance?
Appreciate some direction -
Performing Security Risk Analysis
I just have a question on performing Security Risk Analysis. Is doing a security audit and VAPT is another way of security risk analysis?
-
ISMS scope - Not interested in ISO27001 accreditation
This is the first phase of ISO27001 for us. We dont plan on seeking certification but interested to align our environment to ISO27001.
Is it complusary to done a scope? Can we just go about implementing ISO27001 for our whole environment. We are a small orgnisation but getting bigger.
The idea is to initially implement ISO27001 framework orgnisation wide so when we expend we have good practices in place that will allow us to build on (expand on)
Do you see any risk/concerns with this approch? Is there a better way to go about? What are your recommendation?
-
SoA’s justification for the selection of control
I have two questions, first about SoA’s justification for the selection of control and second about secure areas:
1. If there is no risks from the risk treatment (thus nor risk treatment number for the control), should one use risks from the risk assessment (select risk numbers which have already treated by a control) for the justification for selection?
2. I have a hard time to figure out which are differences between secure areas (A.11.1.5) and securing offices, rooms and facilities?
-
BCP- IT Disaster recovery
Hi, I am looking for a tool to help map or link the upstream and downstream dependencies from a business process and systems perspective..can you help?