Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
BIA and RTO
So, I would like to ask you some questions about BIA:
- How to determine RTO? It is clear for MTPD.
- Who determines RTO? Department responsible for critical activities or Department responsible for resources supporting critical activities (IT, logistics, …)?
- About your example during the webinar, if RTO of IT is 8 hours and RTO of one critical activity is 4 hours and this one depends on IT. So which RTO will be considered?
-
Procedure for Document and Record Control
This question is regarding document scope, especially as it pertains to section 3.2 Document Approval.
In our very small organization, all ISMS specific documents would be reviewed and approved by two individuals. That I understand, no problem. But for client work/project related documents that are created such as project plans, creative files, copy decks, etc., often times there is no review and approval process needed. Documents are created by the employee and sent to the client.
How would that be described in section 3.2? Do I describe an "exemption" for review and approval of client project work files?
-
Cyber-attack contingency plan template
Do you guys have a cyber-attack contingency plan template? -
ISO 27017 certification process
My first question is about the formal process for a company to get certified ISO 27017 if it is already certified ISO 27001. It is just about asking the audit provider to verify the additional questions and deliver the “statement of compliance.”? Or there is a certification that the company should conduct a proper and distinct audit to have it? My second question is: Can a company say that it is certified for the information security management for the cloud computing services just with the ISO 27001/27002? -
Video Tutorials not aligned to downloaded document
I am using the vide tutorials to complete my documents downloaded. However they do not align completely. I am currently looking at the ISMS Scope tutorial and the document being used in this does not align with the document we have purchased.
-
Template content
In the file 00_Verfahren_zur_Lenken_von_Dokumenten_und_record_27001_DE.docx there is a comment from you "Delete if the declaration of applicability precludes measure A.8.2.1 according to ISO 27001." Where are the measures, I have to read the measures first so that I can exclude them?
-
Owner of general procedures
We are discussing the ownership of general procedures. We have a classification of information in my organization and we are pretty much ISO27001 compliant. I, as an IT auditor, consider that the "head" of the organization is the owner of the general procedures, which are applied throughout the organization. Do you find it correct?
-
Risk Deviation
I really like your book as it is more detailed and clearly define the meaning. But I have doubt in one word "Risk Deviation" what does it mean? I do hope you could help me with the explanation on this?
-
Segregation of duties
1. Regarding Segregation of duties I believe some jobs can’t be combined (like the SO can’t be the DPO?)
2. Are there specific combinations that are not done? We have these roles in the company? To divide under 4 people:
Security officer (is also Risk manager & Authorization officer)
Internal auditor (external consultant)
Service manager (is also Change manager & Incident manager)
Security tester (outsourced)
Compliance officer
Solutions Director
DPO3. Do you also have standard lists of the Responsibilities & Requirements of these roles?
-
Overlapping between ISO 27001 and ISO 9001
I was looking for the overlapping and or mapping between ISO 27001 and ISO 9001, We are ISO 27001 certified and was looking which one is an added value ISO 9001 or going SOC2 report compliance