Please select user.
There are no topics yet.
I have a question for you about the Statement of Applicability. I’m doing an ISO 27001 implementation at a software company and the shareholders have given us only a couple of months. So I want to do a minimal project, doing only all the necessary policies, with the idea that we can expand on that in the coming years. So I looked at what documents are mandatory and which ones are not. But now I wonder how that translates into the SoA.
Example. We have a SaaS solution, so all information from customers is on very secure cloud systems from our suppliers. We don’t have very much information that is very exciting on Sharepoint servers. If the classification policy is not mandatory and if it’s not a risk coming out of risk analysis that we need to control, does this mean we can say No on A.8.2.1 and following controls, or can I say Yes and fill in the limited measures we have, like the secure data center and so on. How would you go about this?
If the organization has remote work for all employees, it does not have a physical environment and all processes are worked in the cloud, do these controls apply to the organization?
A.11.2.1 Equipment siting and protection
A.11.2.2 Supporting utilities
A.11.2.3 Cabling security
Thank you in advance.
Another question. I think we know the answer, but just double check.
Q2 – We produce hardware and software that sale to our customers. The software is based on licences.
2.1 - Do the ISO controls apply in any way to these products? I think not. That once they are acquired by the customer the responsibility in terms of ISO27001 falls under them. Am I right?
2.2. - Does the ISO indicate controls for SDLC (Secure Development Life Cycle?)? And for hardware?
2.3 - If we provide some sort of support service (maintenance, improvement, patching, etc), How does this affect us in term of the ISO? If we just intervene in the systems and leave without collecting any data, I guess that we have nothing to do for ISO, but if we collect some data (logs, record, etc) and store it in our systems then this data become our responsibility and thus is affected by the ISO. Is this assumption right? What controls would affect this logs/records/info?
How does BC strategy fits into an ISO 9001 certified company? What is the impact on QMS Supply chain CRISIS, sales, training and communication, etc, if you have or not BC strategy ? How should I convince my CEO on its importance/ (to my knowledge we don't have a documented BC Plan) Thank you for clarification and presenting this topic.
First at all, thank you very much for your help. It is helping me to understand how to do things in a better and simpler way.
Q1 – HR department has most of systems they use externalized with 3rd parties. These covers our official web site, personnel information, Payroll and other tools. The 3rd parties do the technical management, and our HR use the systems maintaining the information. My guess is that these systems aren’t assets we need to protect, because are out of our control, but the information belong to us.
How should treat this case in terms of assets, risk assessments and controls?
I am currently researching on the topic of ISO 27001 as our number of institutional clients is increasing.
I would be interested in some information regarding the standard so I would be very grateful if you could take some time to help me with the questions:
1. I looked at the phases of standards from Planning, Implementation, Verification and Further Improvements. I wonder how long on average full implementation and verification takes?
2. Where are and what are our potential financial costs?
3. At what stage would the Auditor come and is this something you could do for us? (Also, I'm interested in the fee for that)
4. Any PDF resource would be great, which could describe the whole process in more detail. So if you have something similar, please send it to me.
5. Since we are just starting to look at the standard, we do not have too much prior knowledge, so please add anything that you think is important and I failed to ask
We have started with the listing of our assets and need some assistance as I think that we might be on the wrong path here. We have listed most of our hardware / systems that we use and have started with the business impact analyses questionnaires. My question is: Do we list all hardware or systems that we use as activities within the business impact analyses questionnaires or is this questionnaire purely used to document the actual process covered by the individual assets.
Please see attached list of assets and we have created a questionnaire for each of these assets. Is this correct?
Just wondering, after giving the awareness workshops, there should be a survey to be filled in by the attendees, would you tell me what questions to be asked and how the results or statistics would help me later on. In other words, why I am conducting a survey, how should it help me to determine my next steps . also, in case if I am doing a report for management, what should it include for decision making?
I bought your book Becoming Resilient. It has been helpful.
I just started reviewing your blog.
I am developing a BC framework for a company that has nothing.
Your book and blog are good resources for this effort.
I have also been tasked with developing an enterprise risk management framework.
I have been reading up on COSO’s 8 key components that comprise an ERM framework:
1. Internal Environment- Management sets a philosophy regarding risk and establishes a risk appetite. The internal environment sets the basis for how risk and control are viewed and addressed by an entity’s people. It is critical that upper management express the importance of ERM throughout all levels of an entity.
2. Objective Setting- Objectives must exist before management can identify potential events affecting their achievement. ERM ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.
3. Event Identification¬- Potential events that might have an impact on the entity must be identified. Event identification involves identifying potential events from internal or external sources affecting achievement of objectives. It includes distinguishing between events that represent risks, those that represent opportunities, and those that may be both.
4. Risk Assessment- Identified risks are analyzed in order to form a basis for determining how they should be managed. Risks are associated with objectives that may be affected. Risks are assessed on both an inherent and residual basis, with the assessment considering both risk likelihood and impact. Risk assessment needs to be done continuously and throughout an entity.
5. Risk Response- Personnel identify and evaluate possible responses to risks, which include avoiding, accepting, reducing, and sharing risks. Management selects a set of actions to align risks with the entity’s risk tolerances and risk appetite.
6. Control Activities- Policies and procedures are established and executed to help ensure the risk responses management selects are effectively carried out.
7. Information and Communication¬¬- Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Information is needed at all levels of an entity for identifying, assessing, and responding to risk.
8. Monitoring- Then entirety of ERM is monitored, and modifications made as necessary. In this way, it can react dynamically, changing as conditions warrant.
Do you have any additional suggestions or advise as I embark on this journey?
I would like your point of view on the following:
I am confused about how to interpret this clause
If I had an SoA with the following columns, will it meet the requirements of this clause:
or should it be like this to meet the requirement?