Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Denial of Service Attack
I'm thinking when I have Denial of Service Attack what asset should I put this into
I mean it is digital, but what documents can be affected by thisMy question was regarded to DDoS attack as I am filling up the risk report. I downloaded a template and Im trying to follow that. I work for Web Hosting company so this report is for IT department only and obviously it is just a starting point.
-
Annex A
Can you help us by giving us various examples of justification (applied or not ) for the different measures in Appendix A?
-
Integrated Management System
My company has taken an integrated approach to ISO 27001, 9001 and 22301. I have 2 questions:
1. We have integrated the 3 risk registers and have been having monthly risk meetings but we would like to find out how often would the SOA change from the ISO 27001 perspective? Would it be after each risk meeting? What happens if a control has been implemented and another risk is identified to the same control?
2. We are approaching our surveillance audit soon and would like to find out what an auditor would typically look out for during the surveillance audit.
-
CISA or CISM course
I would like to have the CISA and CISM certification and want to know which of the ISO 27001 courses meet that. Is it the Lead Implementer or the Internal Auditor course?
-
A.12.7.1 Information Systems Audit Controls
1. Does executing the Penetration Tests on the regular basis serves the purpose to be compliant with this Control or do you suggest any other method? 2. Do we need to Document a Formal Process of the Penetration test and execute it accordingly? -
ISMS scope
Are internal depts providing services to an ISMS scope, but not part of the scope managed as 3rd party suppliers
My specific question is actually regarding asset ownership for assets in a 27001 scope which is a business unit in a company and not the entire company. How are asset owners addressed/managed if they are actually working in a business unit external to the scope. For example, IT assets used within scope, however, they are owned by a Group IT function? I do hope this makes sense?
-
Acceptable use policy
I have a quick question, the acceptable use policy.
1. When it is ready, can it also be used as information security policy? As a more detailed version?
2. And secondly, is it necessary that employees sign the acceptable use policy? Or is it good enough to communicate the policy within the organization?
-
Company records
Why is it not best practice to classify all company records as confidential?
-
27018 controls
Re ISO 27018, we have a substantial amount of our infrastructure in the cloud (Azure and Google). Do we need to apply any 27018 controls, or can we cite the compliance of Google and Microsoft with the ISO standards to check that box?
-
Risk analysis process
At the moment, I have a query. In my experience, risk analysis is a process that takes a long time to implement in companies (in some cases 3 years to make the first turn). And how do we know it starts and never ends. In this regard, what is the level of initial risk analysis that they recommend? taking into account that generally when an organization decides to implement the security policy as soon as possible.