Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Question about SOA
1 - Is the SOA related to the scope?
2 - How can we verify the inclusion and exclusion of controls?
-
Document control
1 - Company documents such as "Contracts" signed with various clients. Does this form part of "internal" documents or external.
2 - Would we have to follow a Change History table on them too?
-
ISMS implementation - digital banking sw engineering
As part of a case study I'm working on, I need to describe a plan of action and the expected impact on the SW engineering dept of a digital banking company. The new CISO decided to introduce an ISO27001 ISMS and aims for the certification in 3 years. I have been tasked with implementing this framework in the SW engineering dept.
Can you help me structure the main guidelines and controls I should look at? I can make assumptions of course, but I'm not really sure how to best tackle.
-
Exception process
Would you know if the exception process in an information classification policy can be a manual process?
-
GDPR and ISO Compliance
I have heard a lot about GDPR and how much it restricts the privacy of PII. in my case I have a proxy web server that has many back services behind it, one of those backend services uses something called BasicAuthentication to authenticate the user, in basic-authentication the user submit has username and password and these being base64 encoded on the request header, the point is my proxy logs the username from that header on the audit log, so if the user is admin then I'll log User: Admin on my log,
does this prohibit in GDPR or ISO 27k? noting that I'm logging this info for security reasons.
-
Early preparation for ISO 27001
Hello Dejan and team. We are a start-up based in ***. We are just about to start coding our software-as-a-service solution. While it is not a top priority initially, we expect that we will later seek ISO 27001 certification later. What are the key considerations we should bear in mind as we embark on the development process, such that we have the preparatory work in place to ease the ISO 27001 process later?
-
Asset register
I need to build an asset and a risk register. I think I understood the concept but I'm having some difficulties drawing an Excel file.
Understand that there are primary assets (processes, information) and supporting assets (PCs, SW, Site, etc)
1 - Should all these assets be included in the same column, having for example the categorization in another column or should I have 2 different tables, with a relation between supporting assets and primary ones?
2 - Are the threats and vulnerabilities related to supporting assets and thus impacting the related primary assets? How should this be mapped in an Excel file?
-
Change management policy
I am looking for a definition and examples of change under a change management policy
-
Risk assessment
1. As I fill out the risk assessment table and do the risk assessment, we are finding that some risk should be owned by a third party connected to our ISO scope, is it ok to list them as the asset and risk owner, they would be responsible if the risk would surface.
2. We have some SDLC (systems development life cycle) controls listed in 06 SOA, we stated in our scope document that software development is not in scope, however, if we know that controls are in place already should we document that in the SOA?
-
Activity strategy document
I am getting confused....in the activity recovery strategy template document which I have purchased didn't mention the incident scenario....how can we draft strategy documents without considering the disruptive incident scenarios...