Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISMS and SaaS solutions
1. How shall I deal with SaaS solutions such as Office365 and Gitlab.com when it comes to controls related to backups and business continuity. I don't think it is feasible to build an on-premise DR site for such a solution.
2. Also, do we have to keep a backup of our emails or does it depend on the risk assessment and whether we accept such risk? -
Template content - DRP
Could you please elaborate more or put examples to this column under the Disaster Recovery Plan.
-
ISO 27001 documentation
Hi, I have a question regarding ISO 27001 documentation. Can I combine control docs together where it makes sense to do so or should they always be separate? For instance, I wish to put the individual user agreement, wireless user addendum, and mobile phone addendum under the same agreement? Is that allowed or perhaps bad practice? Thank you
-
ISMS audit results for ISAE 3402 Type II Audit/Report
Do you think it is possible to use the output of ISO27001 controls/monitoring/records in an appropriate ISAE3402 Type II Audit/Report?
In ISAE3402, the auditor checks results/KPIs of a predefined set of controls against control objectives for a given time period of the past and produces an „Assurance Report“.
It sounds to me as if ISAE3402 is just only the „Check“ Part of the PDCA cycle of the ISMS?
It would be great to combine the 2 Standards (provided the ISA3402 scope is Information Security related, of course) and simply use the controls which have been documented by the ISMS, and using the monitor output and internal audit output for the auditor.
Is that common practice?
-
ISMS operation before certification
I just have one big question. How much time ISMS has to operate (month, days, years) in order to get certification?
-
Risk Assessment
I have two questions regarding the Risk Assessment Table.
- We are preparing this table for the first time. When listing an asset, is it ok to use a generic category for the asset so that it includes multiple real assets, or must each real asset be listed individually? For example, if I have 10 desktop computers, must each be listed separately or can I make one entry for "desktop computer" assuming the risks are the same for all 10?
- My second question is about the existing control column. Is it ok to list a preventative measure that has not been documented in a policy, or must it be an explicit control that is documented? For example, if I have a server that is vulnerable to power failure, can I list the existing control simply as "the server is plugged into a UPS" or must I site a policy document that indicates all servers must be plugged into a UPS? Again, this is the first time this document is being written, and we understand that we will need documented controls for the Risk Treatment Table.
-
ISO 27001 2019 review
Is the information on the following link still relevant?
-
Assignment of documents
Hello,
we use XYZ as our document management system. I have mapped the structure of the ISO 27001 Standard in XYZ.
This means that I store all documents of the nom chapter 4.1 in XYZ. I now have the problem that I did not know where to file documents for Annex A. So the password policy concerns the sections A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.3. But how and where do I store them in XYZ? Does this belong in separate subchapters of chapters 8.1 or how do I do it best?
I would be pleased about quick feedback -
BCM framework and policy
Currently, I am drafting BCM framework for my small organization which is on SAAS platform. We have multiple sites as well with in XYZ and XYZ as well.
May you please give me some inputs/ guidance, how to draft the framework and policy and what points to consider keeping in mind SAAS.
-
Level of information classification
Hello all, I wanted to know what would be the most appropriate level of information classification given to the sensitive and Non-sensitive PII.
Are they considered confidential or less? or just restricted?