Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Templates for controls from Annex A
Just 2 more questions please:
Regarding the 27001 security control ANNEX 7 ‘SYSTEM ACQUISITION, DEVELOPMENT & MAINTENANCE) ’ do you have one single document that addresses this particular control? If not, which selection of documents do I need to purchase to address these requirements?
Likewise, Is there one single document that covers Annex 7 – HUMAN RESOURCE SECURITY? -
Risk assessment
1. Regarding risks that come from outside of the scope, should we consider these risks in the Risk Assessment and apply controls to mitigate them, or we need to include the source of them in the scope, for example: there are some laptops that can access and (download or view) some sensitive data from what are in the scope, so should we need to include these laptops in the scope or just aplly some controls to mitigate risks come from them?
2. What is the difference between the exsiting controls and planned controls? do we need to have both in the risk register?
3. Should we write already mitigated risks in the risk assessment phase, for example: a security feature in a system is enabled so no risk right now, but if someone disables this feature, then it may lead to a potential risk, so do we need to write down these risks in the risk assessment phase?
4. How we can design a criteria for the impact if our scope is in cloud?
-
Residual risk
Explain how to check that information on significant residual risk is provided to the appropriate people
-
ISO 27007 vs ISO 19011 for auditing
Hi, What are the key practical differences between these standards for auditing? My organisation has decided to adopt ISO 27001 as a best-practice framework but there is currently no intention to certify and the project is not likely to start in the foreseeable (at least 12 months) future. We have several existing measures and controls, but it has been decided we need to look at an audit approach to determine maturity. Which of these frameworks would be best? Thanks, Brian. -
Consulting and conflict of interest
I have a question and don’t know where I can find the answer of that
I know a CB is not allowed for consulting1 - When we talk about ISO27001, what is the consulting evidence?
2 - Is pen test or contract for implementation of SOC type of consulting?
3 - Is a CB allow to give these services to their client?
-
ISO 27001 implementation
Thank you very much for your time and detailed answers. I only have one more question before I make the purchase:Comparing the two documents you provide (attached), I see some discrepancy consisting of few of the documents listed as mandatory in the Checklist are missing on the List of documents in the Toolkit:
- Definition of Security roles and responsibilities
- Acceptable use of assets
- Operating procedure for IT management
- Secure system engineering principles
- Business continuity procedurePlease explain?
-
Security service presentation
Hello, I am making a presentation for "STANDARD MANAGEMENT SYSTEM FOR THE SECURITY SERVICE" and I seem to not find what I need about 3 questions, can you help me? -
Agile methodology and ISO 27001 implementation
What book can you suggest to me for learning agile methodology and are there any forms to guide the project towards that methodology?
-
ISO 27001 and PCI DSS/ PA DSS
How much will iso 27001 cover scope of PCI DSS/ PA DSS?
-
Risk assessment table
From the tutorial:
1. is the risk rating based on taking into account existing controls or in the case of no controls at all, before controls are applied?
How does control No 4 affect the risk level of risk no 4?Shouldn´t the sequence be:
- assess risk
- take into account existing controls
- update risk taking into account existing controls
- perform risk treatment for unacceptable risks and document in risk treatment table
-define a risk treatment plan2. what about existing controls for No 1-3? None implemented yet?
3. What about controls for risks that can be accepted?