Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Owner of general procedures
We are discussing the ownership of general procedures. We have a classification of information in my organization and we are pretty much ISO27001 compliant. I, as an IT auditor, consider that the "head" of the organization is the owner of the general procedures, which are applied throughout the organization. Do you find it correct?
-
Risk Deviation
I really like your book as it is more detailed and clearly define the meaning. But I have doubt in one word "Risk Deviation" what does it mean? I do hope you could help me with the explanation on this?
-
Segregation of duties
1. Regarding Segregation of duties I believe some jobs can’t be combined (like the SO can’t be the DPO?)
2. Are there specific combinations that are not done? We have these roles in the company? To divide under 4 people:
Security officer (is also Risk manager & Authorization officer)
Internal auditor (external consultant)
Service manager (is also Change manager & Incident manager)
Security tester (outsourced)
Compliance officer
Solutions Director
DPO3. Do you also have standard lists of the Responsibilities & Requirements of these roles?
-
Overlapping between ISO 27001 and ISO 9001
I was looking for the overlapping and or mapping between ISO 27001 and ISO 9001, We are ISO 27001 certified and was looking which one is an added value ISO 9001 or going SOC2 report compliance -
ISO/IEC 27001:2013 ISMS Document Implementation
I need to write up a draft an ISMS document that meets the ISO 27001 requirement for an SME. Could someone please guide me on where I can find a template of one? Otherwise, can someone provide the headings that I should include in the document, please.
-
Assets of Threats Diagram
We need a "Diagram Assets of Threats".
-
Risk treatment plan
Buenas noches, estoy redactando un plan de seguridad para el aseguramiento de la información de la plataforma informática de una institución. Me gustaría saber la manera correcta de generar los estudios necesarios y los informes de recomendación y aplicabilidad para el respectivo aseguramiento.
-
Certification requirements
Somos usuarios del paquete de documentos para la certificación 27001 y además usuario de los videos de entrenamiento en ciberseguridad, etc.
Quisiera saber si el proceso de certificación 27001 la empresa auditora exige, y por tanto es mandatorio, que exista un Líder de implementación certificado al iniciar el proceso de certificación.
-
Questions about ISO 27001
1. Do I need to put a justification if I didn't choose any of Annex A controls?
2. If one of control is applicable but some of that control content are not, Does I need to put justification on each point? Example: in code of practice, A.9.1.1 there's points from a to k if point J, K are not applicable shall I need to add a justification for not choosing them?
3. if I wrote the access control policy and my scope is cloud and applications running on the cloud, and there is point in the policy applicable to some of the applications but not applicable to the rest should I add a justification for this?
4. how can I identify controls and consequences in Risk identification? -
ISO 27031
ISO 27031, is this standard still in existence?
I wasn't sure if that Standard was merged in 27001 and 23001 or is still a stand-alone standard.