Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 22301 gap analysis
We are currently working on a gap analysis, but I can’t seem to find much information about that, regarding the ISO 22301.
I am sure it is like ISO 27001 but do you also happen to have more resources or templates about gap analysis for 22301?
Maybe I just missed it form the template packages. -
Internet Access
With reference to the document ‘A.8.2_IT_Security_Policy_Premium_EN’ under ‘3.13 Internet Use’
Is it mandatory to define access to the Internet, only through organization and not direct access?
If yes, how do we restrict/ define actions for email services, cloud platforms which in general are accessible from the direct network?
If no, what set of restrictions are defined to comply with the requirements of ISO 27001?
Please let me know if more clarification required. -
Non-Conformity 10.1 and 10.2
1. Since we already have the Templates for the Topic “Non-Conformity 10.1 and 10.2” in our Toolkit, Could you please give some examples of kinds of Non-Conformity.
2. Can the Main Deviations marked by the Lead Auditor in Pre-Audit be taken as Non-Conformities?
-
Risk assessments
I purchased your ISO 27001 document toolkit, along with various books.
With regard to the risk assessment, it’s my first time doing this exercise – while the training & templates are useful, I am a little concerned I’m making it more complicated than it needs to be for a business of our size.
As with anything, there are levels of detail you can take it to, and I suspect I might be going too deep.
I was wondering if you had any real example risk assessments for a small/medium-sized *** company that you think are good and would be able to share with me (even if they are a little old)?
While the theory and examples are useful, I think seeing a real one would help me measure the depth required and if I’m on the right track.
-
ISO 27001 security-driven culture
1. How can we create an ISO 27001 security-driven culture in an organization?
2. What are the success factors to ensure ISO 27001 compliance?
-
Productivity and surpasses performance target
How ISO 27001 ensures the productivity and surpasses performance target.....
-
Risk Assessment
To start, during our last discussion you mentioned we could email you with any questions we have. If your inbox isn’t the right place to direct these to, please let me know the alternative address.
I had two general questions:
(1) Our product as a service platform can be thought of containing multiple modules (this is primarily a marketing and sales spin). Each module can be thought to perform a different feature (i.e. dashboard module, data dissemination module, data transformation module) but these are all driven by a single code base. When doing the risk assessment, should these be thought of as separate assets? Or should they be represented by a single asset (i.e. *** platform)?
(2) The scope of our ISO is the "handling of customer data (ingestion, storage, dissemination)”. In the risk matrix, we’ve already called out assets (and done the threat/vulnerability breakout) including:
- employees
- contractors
- management
- office
- data centers
- network
- laptops
- mobile phones
- application software (codebase)
- licensed applicationIs there value to auditors to specifically call out assets for each of ingestion/storage/dissemination? Or should they be worked into the existing assets (i.e. ingestion would exist under datacentres). Ingestion / storage / dissemination are technically “processes” (not assets) so on one hand I’m hesitant to list them as assets, but on the other hand they are important portions of the scope and so calling them out might help the focus of the audit. Can you share your thoughts on this?
-
Compliance with the access control policy
Hi, quick question now that you have the COVID-19 how do you stay in compliance with your access control policy? (meaning access cards, biometrics, etc)
-
Checklist of Mandatory Documentation Required by ISO/IEC 27001 (2013 Revision)
I was checking this White paper: Checklist of Mandatory Documentation Required by ISO/IEC 27001 (2013 Revision)
On page 2 it refers to Definition of security roles and responsibilities A.7.1.2, A.13.2.4
Is there a mistake to the reference?
-
Finding internal and external auditors
We’re still several weeks away from being ready for an internal audit, but I have questions about the internal and external audits that I wanted to ask now in case it takes us a while to make the necessary arrangements.
1. First, we’re thinking of hiring an auditor with who has experience doing ISO 27001 audits to do our internal audit because this seems like this will give us a better sense of how the external audit will go (thought let me know if this logic is flawed for any reason). Do you have any resources you could point me to on hiring an auditor for the internal audit? Or any tips on how best to find someone?
2. Second, do you have any resources you could point me to on finding a certification body? In particular I believe we’ll want to find one that has auditors in ***. We won’t have any operations in *** until after we get certified (we need to be certified before we're allowed to start work there). But once we start operating in *** there I assume we’ll need an auditor to visit our office there for follow-up audits in 2021 and beyond (again, please let me know if any of these assumptions are wrong).