Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Asset register
I need to build an asset and a risk register. I think I understood the concept but I'm having some difficulties drawing an Excel file.
Understand that there are primary assets (processes, information) and supporting assets (PCs, SW, Site, etc)
1 - Should all these assets be included in the same column, having for example the categorization in another column or should I have 2 different tables, with a relation between supporting assets and primary ones?
2 - Are the threats and vulnerabilities related to supporting assets and thus impacting the related primary assets? How should this be mapped in an Excel file?
-
Change management policy
I am looking for a definition and examples of change under a change management policy
-
Risk assessment
1. As I fill out the risk assessment table and do the risk assessment, we are finding that some risk should be owned by a third party connected to our ISO scope, is it ok to list them as the asset and risk owner, they would be responsible if the risk would surface.
2. We have some SDLC (systems development life cycle) controls listed in 06 SOA, we stated in our scope document that software development is not in scope, however, if we know that controls are in place already should we document that in the SOA?
-
Activity strategy document
I am getting confused....in the activity recovery strategy template document which I have purchased didn't mention the incident scenario....how can we draft strategy documents without considering the disruptive incident scenarios...
-
ISO 27001 controls
How to implement more effectively ISO 27001 controls.
-
Risk register
I am working on a risk register and wanted to know what could be a list of threats for employees in different departments working on an appraising a project?
-
Scope for ISO 27001
Our company is planning to go for ISO 27001 Certification this year. Our company is a SI and supporting, implementing enterprise-level cybersecurity projects to many sectors. As for the scope, we want to define our production network only, contains many critical system/security controls like Firewall, DNS, AD, and many more... Our boss want to say that company's production network is running with ISO 27001 standard. I wonder that that scope is acceptable or not by the auditor.
-
Controls A.6.1.3 and A.6.1.4
1. How can the Organization be compliant with these Controls?A.6.1.3: Contact with Authorities: Does it mean contact with the Superior Authority who is also the supreme body for GDPR?
2. A.6.1.4: Contact with Special Interest Groups: Does having ISACA Memberships of some other Interest Groups are taken into consideration? -
Control A.14.2.7
We are in the process of implementing ISO 27001, the company doesn’t have external development so the A.14.2.7 control for outsourced development is not applicable, shall we consider all A. 14 controls are not applicable or only A.14.2.7 Your advice is highly appreciated -
Risk treatment plan vs Statement of applicability
trying to understand the difference between the risk treatment plan and the statement of applicability. Shouldn’t one document show what controls need to be implemented, seems like the purpose is the same.