Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO/IEC 27001:2013 ISMS Document Implementation
I need to write up a draft an ISMS document that meets the ISO 27001 requirement for an SME. Could someone please guide me on where I can find a template of one? Otherwise, can someone provide the headings that I should include in the document, please.
-
Assets of Threats Diagram
We need a "Diagram Assets of Threats".
-
Risk treatment plan
Buenas noches, estoy redactando un plan de seguridad para el aseguramiento de la información de la plataforma informática de una institución. Me gustaría saber la manera correcta de generar los estudios necesarios y los informes de recomendación y aplicabilidad para el respectivo aseguramiento.
-
Certification requirements
Somos usuarios del paquete de documentos para la certificación 27001 y además usuario de los videos de entrenamiento en ciberseguridad, etc.
Quisiera saber si el proceso de certificación 27001 la empresa auditora exige, y por tanto es mandatorio, que exista un Líder de implementación certificado al iniciar el proceso de certificación.
-
Questions about ISO 27001
1. Do I need to put a justification if I didn't choose any of Annex A controls?
2. If one of control is applicable but some of that control content are not, Does I need to put justification on each point? Example: in code of practice, A.9.1.1 there's points from a to k if point J, K are not applicable shall I need to add a justification for not choosing them?
3. if I wrote the access control policy and my scope is cloud and applications running on the cloud, and there is point in the policy applicable to some of the applications but not applicable to the rest should I add a justification for this?
4. how can I identify controls and consequences in Risk identification? -
ISO 27031
ISO 27031, is this standard still in existence?
I wasn't sure if that Standard was merged in 27001 and 23001 or is still a stand-alone standard. -
Toolkit content
1. Hi there, we need to figure out whether or not we need ISO 27001 compliance. Some of the requirements our potential client has are as follows:
Audit review, plan, and information as to the audit standards they're using Network penetration testing Internal External Application penetration testing Vulnerability scanning for network, internal and external Logical network diagram, with data flow if possible with encryption levels. Security baseline stands? Hardening standards? Info on corporate RTO and RPO standards SDLC - tollgates Application testing? SAST, DAST, SCA, IAST, MAST? All policies, standards, and procedures documents, including Secure coding standards Risk assessment document Change management Conscia to provide a summary of our most recent Disaster Recovery (DR) audit Conscia to provide network and application layout diagram for our product.
2. What is a SIEM solution? What log review tools? Frequency of the log reviews. Is some of this covered in your toolkit?
-
Mobile device
I want to reconfirm with you about mobile device in ISO 27001, Does it include a laptop?
-
Difference between ISO 27001:2013 and ISO 27000:2016
I was wondering if there is any difference between ISO 27001:2013 and ISO 27000:2016(E)?
-
Requirement of records of training, skill, experience, and qualifications
I have become a little stuck on the requirement of records of training, skill, experience, and qualifications – some of these records seem to be captured in your Training and Awareness Plan, but I am I right in thinking experience and qualifications need to be kept elsewhere? (e.g. qualifications and experience captured by HR for each relevant staff member?)