Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Asset for Risk Assessment
How do I know I have listed all assets for the risk assessment?
-
ISO 27001-ISO 27017 and ISO 27018
Our company is ISO 27001-2013 certified and also attested 27018 and 27017.
The question is if we move our apps into the cloud, will this revoke our certificate - we can not claim that we are ISO certified ?!
My personal opinion, No, we still are certified and will continue be certified as long as all our security controls are in place and we are taking all necessary measures and keeping monitoring the effectiveness of our control -
ISO 27001 costs estimate
I'm trying to figure out costs in relation to certification. I know there is a documentation cost (if we choose to go that way) and then there is a certification cost. However, I am struggling to get a sense of the total cost. We are a small *** company (less than 12 employees) providing a SaaS from a cloud hosted environment. For budget purposes, I just need a ballpark figure.
-
Document control
Please advise on the following:
For our document control and storage:We have created area called:
ISMS Documents, which has 2 sub folders:
a. Confidental Folder
B Non Confidential FolderWe have external contracts, and then we have our contracts, which is created internally.
All our contracts are stored under "Non Confidential/Contracts". Would we need to be able to identify internal from external.
How does one manage this, as internal needs to follow history change table, where as external, is dependent is controlled from the external party -
Clarification of terms used in ISO
Hi there, generally speaking, does ISO still use the term observation or is the term Opportunity for Improvement used now?
-
Gap analysis
1. I have a question to ask. Do we do the gap analysis first or IT risk framework?
2. Which is easier to do? Looking forward to your feedback.
-
Surveillance audit
We'll have the first surveillance audit in the next 3 months. Finished our Internal Audit a month ago. I just join the team as a Risk&Compliance Manager. How to we prepare for tbe Surv.Audit? I'd like to have an activities plan, kind of a checklist for preparation.
-
NIST framework
I am working on a project to provide an easy to use yet comprehensive approach for supporting boards to monitor their cyber risk responsibilities. We are thinking of using the NIST framework as a base because of it simplicity and fitting a set of best practices around it. You do such a great job of simplifying the complexity of ISO. Is there a slimed down set of practices based on ISO standards we might consider? Thanks!!!
-
Processes in Risk assessment vs. business impact analysis article
Regarding the Risk assessment vs. business impact analysis article, at https://advisera.com/27001academy/knowledgebase/risk-assessment-vs-business-impact-analysis/, what kind of processes do banks need to perform in 12 hours that would be unacceptable?
-
General Information Security Policy
Anteriormente con la ISO 27001:2005 utilizaba la política general de seguridad de la información y ahí mismo definía el alcance y lo montaba en un manual de políticas, separando la política de seguridad, hoy veo que hay que hacer un alcance del SGSI, lo que me queda duda si debería ser tres documentos, Política General de Seguridad de la Información, Manual de Políticas ( Todo un set ) y el Alcance del SGSI por separado.