Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISMS performance indicators
Estou buscando algumas referencias para preparar um documento onde serja utilizado como orientação para gestão de indicadores de performance, mas com viés em segurança da informação. Seriam indicadores para:
Disponibilidade: links, servidores, serviços etc...
Confidencialidade: Roubo, Fraudes etc...
Integridade: Bkp, vírus etc...Caso tenha material que possa me apoiar na criação dessa norma agradeço, tbm se tiver mais exemplos práticos desses indicadores ajuda muito.
-
Business Continuity Plan for ISO 27001
In the ISO 27001 Toolkit, we have the attached Template (Disaster Recovery Plan). My question here would be if we need only the attached Document to prepare our Business Continuity Plan for ISO 27001 Certification or we need to buy other related docs mentioned in the link below.
https://advisera.com/27001academy/documentation/list-of-business-continuity-sites/
-
Becoming an ISO 27001 auditor
It's not an actual license to be an ISO 27001 Lead Auditor? So if I have the certificate of this course can I, what certificate do I need, what license do I need to be able to do an audit in a company and get them ISO 27001 audited? This license will be able to do it or not?
-
ISMS and SaaS solutions
1. How shall I deal with SaaS solutions such as Office365 and Gitlab.com when it comes to controls related to backups and business continuity. I don't think it is feasible to build an on-premise DR site for such a solution.
2. Also, do we have to keep a backup of our emails or does it depend on the risk assessment and whether we accept such risk? -
Template content - DRP
Could you please elaborate more or put examples to this column under the Disaster Recovery Plan.
-
ISO 27001 documentation
Hi, I have a question regarding ISO 27001 documentation. Can I combine control docs together where it makes sense to do so or should they always be separate? For instance, I wish to put the individual user agreement, wireless user addendum, and mobile phone addendum under the same agreement? Is that allowed or perhaps bad practice? Thank you
-
ISMS audit results for ISAE 3402 Type II Audit/Report
Do you think it is possible to use the output of ISO27001 controls/monitoring/records in an appropriate ISAE3402 Type II Audit/Report?
In ISAE3402, the auditor checks results/KPIs of a predefined set of controls against control objectives for a given time period of the past and produces an „Assurance Report“.
It sounds to me as if ISAE3402 is just only the „Check“ Part of the PDCA cycle of the ISMS?
It would be great to combine the 2 Standards (provided the ISA3402 scope is Information Security related, of course) and simply use the controls which have been documented by the ISMS, and using the monitor output and internal audit output for the auditor.
Is that common practice?
-
ISMS operation before certification
I just have one big question. How much time ISMS has to operate (month, days, years) in order to get certification?
-
Risk Assessment
I have two questions regarding the Risk Assessment Table.
- We are preparing this table for the first time. When listing an asset, is it ok to use a generic category for the asset so that it includes multiple real assets, or must each real asset be listed individually? For example, if I have 10 desktop computers, must each be listed separately or can I make one entry for "desktop computer" assuming the risks are the same for all 10?
- My second question is about the existing control column. Is it ok to list a preventative measure that has not been documented in a policy, or must it be an explicit control that is documented? For example, if I have a server that is vulnerable to power failure, can I list the existing control simply as "the server is plugged into a UPS" or must I site a policy document that indicates all servers must be plugged into a UPS? Again, this is the first time this document is being written, and we understand that we will need documented controls for the Risk Treatment Table.
-
ISO 27001 2019 review
Is the information on the following link still relevant?