Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Certification requirements
Somos usuarios del paquete de documentos para la certificación 27001 y además usuario de los videos de entrenamiento en ciberseguridad, etc.
Quisiera saber si el proceso de certificación 27001 la empresa auditora exige, y por tanto es mandatorio, que exista un Líder de implementación certificado al iniciar el proceso de certificación.
-
Questions about ISO 27001
1. Do I need to put a justification if I didn't choose any of Annex A controls?
2. If one of control is applicable but some of that control content are not, Does I need to put justification on each point? Example: in code of practice, A.9.1.1 there's points from a to k if point J, K are not applicable shall I need to add a justification for not choosing them?
3. if I wrote the access control policy and my scope is cloud and applications running on the cloud, and there is point in the policy applicable to some of the applications but not applicable to the rest should I add a justification for this?
4. how can I identify controls and consequences in Risk identification? -
ISO 27031
ISO 27031, is this standard still in existence?
I wasn't sure if that Standard was merged in 27001 and 23001 or is still a stand-alone standard. -
Toolkit content
1. Hi there, we need to figure out whether or not we need ISO 27001 compliance. Some of the requirements our potential client has are as follows:
Audit review, plan, and information as to the audit standards they're using Network penetration testing Internal External Application penetration testing Vulnerability scanning for network, internal and external Logical network diagram, with data flow if possible with encryption levels. Security baseline stands? Hardening standards? Info on corporate RTO and RPO standards SDLC - tollgates Application testing? SAST, DAST, SCA, IAST, MAST? All policies, standards, and procedures documents, including Secure coding standards Risk assessment document Change management Conscia to provide a summary of our most recent Disaster Recovery (DR) audit Conscia to provide network and application layout diagram for our product.
2. What is a SIEM solution? What log review tools? Frequency of the log reviews. Is some of this covered in your toolkit?
-
Mobile device
I want to reconfirm with you about mobile device in ISO 27001, Does it include a laptop?
-
Difference between ISO 27001:2013 and ISO 27000:2016
I was wondering if there is any difference between ISO 27001:2013 and ISO 27000:2016(E)?
-
Requirement of records of training, skill, experience, and qualifications
I have become a little stuck on the requirement of records of training, skill, experience, and qualifications – some of these records seem to be captured in your Training and Awareness Plan, but I am I right in thinking experience and qualifications need to be kept elsewhere? (e.g. qualifications and experience captured by HR for each relevant staff member?)
-
Risk assessment and treatment plan
Having carried out the risk assessment I have a number of risks that are the highest severity but lowest occurrence. Am I right in saying that the severity is based on the worst-case scenario that could occur based on the threat? For example, the threat that antivirus is not installed on a laptop. The worst-case scenario is someone gets our cloud admin permissions. However, this has never happened before as we do have antivirus in place just not the documented procedures. So it has the severity of the highest and occurrence of low. Due to the nature of our business, we want to have documented controls and mitigation in place for all our threats. This leads me to the treatment plan. We will put in place controls to treat this threat which I gave as an example. We will recalculate the risk evaluation after mitigation. Am I correct in saying that the severity and occurrence will not change in this case? Am I correct in saying the severity of the risk will never change just the likelihood of occurrence? Thank you
-
Intellectual Property Rights
How can the Organization be ISO compliant to this Topic (Intellectual Property Rights)?
For e.g. the Organization protects its Intellectual Rights but it needs to protect the Intellectual Property Rights of others as well. Should these be the Intellectual Property of all the interested Parties?
-
Laws and regulations
I have seen this article on your website and I was wondering what this exactly contains. We work in a medical environment (XYZ) and would like to know if you manage a catalog with all country-specific laws.