Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Certification of IT Service Provider
Can an IT Service Provider get certified for ISO 27001 done out at client locations
-
Classification policy
In the policy:
Steps and responsibilities for information management are the following:
Step name
1. Entering the information asset in the Inventory of Assets
2. Classification of information
3. Information labeling
4. Information handlingIf classified information is received from outside the organization, [role] is responsible for its classification in accordance with the rules prescribed in this Policy, and this person becomes the owner of such an information asset.
We receive data files very often, are we required to enter each and every one of them into the inventory of assets? That sounds onerous from our perspective, and that inventory would be extremely long and a burden to keep up to date. Is it permissible to instead include a description of the data/file type that we receive ?
-
Risk owner
1. I'm trying to find out who the risk owner would be for a technical risk (one of the nine from the STEEPCOIL)
2. With regards to the risk categories, do you know which one a power surge or a loss of power would fall under?
-
Appendix_1_Risk_Assessment_Table - vs. - A.8.1_Inventory_of_Assets
I have a question regarding asset list/inventory. We are creating the list of assets for the Risk Assessment and Risk Treatment process. Once that list is complete and we come up with threats and vulnerabilities for each, is there any need for a separate list of assets as in A.8.1 Inventory of Assets?
I know that you have stated that "assets are not only the information in electronic and paper form, but also software, hardware, services, people, facilities, and everything else that provides value to an organization.", so I have a question on that as well:
Our company is using a consulting group that has an online tool for managing all records and policies, but it seems to define assets stictly as devices. Also, risks are listed separately and are linked only to "category type" not to a specific detail asset. -
BCP and DR: ISO 22301
I am an Information Security Officer in a retail industry company with hypermarkets and malls in ***. My company is in retail industry and our core business is providing and selling goods to our customers in these hypermarkets through Point of Sales terminals. We are also doing online E-Commerce through our website.Our company has different department like
1) HR
2) Finance
3) IT
4) Facility Management
5) Admin
6) Operation
7) legal
I am implementing ISO 22301 and I need to do the scoping of the BCMS. Can you please advise me on how I should perform these tasks? What are the things that I should consider while scoping and what departments should I include in the scope of BCMS? -
BC Plan
Hi
I have implemented BCMS with one department/business unit as the scope and got certified as well. Now I am increasing my BCMS scope and I am done with the BIA with another dept. and now I am ready to make the strategy and plan for them. I need clarification on below points. I have initially made the BC strategy document for the business unit and is specific to themDo I need to edit the same BC strategy document and add BC strategy for a new business unit or can I create a new BC strategy document for each department?
Do I need to write the workaround of the processes/activities which I recognise in BIA conducted with the departments, in the BC plan?Can I have a single document of both the BC strategy and plan in a single document for each business unit?
Please advice
Thanks
-
Adoption of ISO 27001
1. We have been told by a client (a bank) that we need to become ISO27001 accredited as a company to meet their security standards.
But we are only a small organisation and do not have in-house IT people.
Would you recommend we contract an IT consultant for some time and use your framework?2. How do you work with clients like us? I’m not sure where to start.
-
Template content
We need some guidance in understanding and applying one section of your template for the Acceptable Use Policy, §3.14 — E- mail and other message exchange methods.
The final paragraph of that section requires that “Each e-mail message must contain a disclaimer, except messages sent through communication systems determined by IT Manager. Should a user post a message on a message exchange system (social networks, forums, etc.), he/she must unambiguously state that it does not represent the organization's viewpoint.“
It is not clear to us the intended purpose or scope of this requirement. Does it apply to both business and personal messages? We state elsewhere that only business communications may take place over the organization’s information exchange systems. Is it referring to postings on social mediatalking about the company which should state that it does not represent the organization's viewpoint? Can you give us examples of the kind of disclaimer that is intended here? I find no direct reference to this within ISO 27001.
Is this really two separate requirements? One for all e-mail communications stating privacy requirements that we often see at the bottom of incoming e-mails, and another requirement stating that someone's personal opinion does not necessarily represent the organization’s viewpoint. Can you please help us understand this requirement so we can establish the appropriate controls.
-
Developing documents
How to develop documents to meet the below audit requirements and also the best way to provide answers to each of the requirements during an audit.1 Management commitment including policy, Roles, Responsibilities & Authority 2. Cl: 7 Support including competence, awareness and control of documented information.3. Business continuity strategy including resources requirement4. Context of organization.
-
Roles and Responsibilities document
Where would we include a listing of Roles and Responsibilities? Should it be included on one of the mandatory documents, or in a separate document? Or, is it even neccesary at all?