Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Policy for use of cryptographic
Requiero un asesoramiento sobre como debe documentarse las políticas sobre criptografia. Esto para llegar a una certificación de ISO 27001.
-
Auditor costs
Do you know how much usually ISO auditors likely cost?
-
Assets in the cloud
When developing the policy for our inventory of assets, the question came up around how do we inventory ephemeral assets in the cloud? Some servers are spun up when the extra compute is needed, then they are torn down automatically and are gone. Do we need to account for those somehow as well?
-
ISO 27001 and NESA requirements
Is ISO 27001 a prerequisite to comply with NESA requirements
-
Filling SoA
Meses atrás tuvimos una call para hablar sobre el proceso de certificación. Revisando Conformio encuentro un campo “Objetivos de Control” sobre el cual no tengo mucha claridad para diligenciarlo. Por lo anterior, agradezco si me puedes compartir algunos ejemplos de la información que debe ir en este campo.
-
Business Continuity and Disaster Recovery Plans
I've purchased several of your ISO 27001/23001 templates and have a question. Currently working on Business Continuity and Disaster Recovery. It seems that the DR Plan template (including the 'Appendix 6' version) has a lot of information that's redundant with the BC Plan template. Should I really duplicate all of that, or is it common practice to include ONLY the 'Necessary Resources' and 'Recovery Steps' as Appendix 6 (DR Plan) within the BC Plan? Please advise. Thank you!
-
Cybersecurity audit
But still I have some doubts here :
My past work experience is on the network and server monitoring and does not have any experience of coding and scripting. Can I do this certification?
I have seen cybersecurity personnel doing coding and scripting stuff, so I have this question longing in me. Please guide me.
-
Risk Assessment
I'm struggling to get my head around one concept on Risk Assessment so wonder if you could help.
I've purchased your Secure & Simple book plus read other valuable information on advisera.com (all really helpful thanks), however, still struggling to find a clear answer on this.
When performing the initial assessment of the risks to an asset to provide the inherent risk level, should this take into account the existing mitigation controls in place, or should all current controls be omitted?
My thinking is an assets threats and vulnerabilities should be determined under current controls conditions, e.g. asset 'a' is an online system containing personal information, the threat could be unauthorized access to PI and the vulnerability could be using shared authorization credentials - but if we have a policy in place that states shared credentials/passwords must not be used, plus User training enforces this, should this be taken into account when scoring the likelihood?
We have a mature security model in place so coming at the risk assessment with a lot of controls already in place. Our risk assessment should be to identify and prioritize those assets with the highest risks which require mitigation.
Might have answered my own question in that last paragraph!?
-
Surveillance audits
1. Does the external auditor have to do complete surveillance for all controls in the SOA the same as the first year of certification?
2. How long does it take to complete the surveillance audit with regard to the initial certification audit duration? -
ISO 27001 objective and requirements
Pelo que li da norma o objetivo é garantir a confidencialidade, a integridade e a disponibilidade da informação. A qualidade da informação não me parece que seja preocupação da ISO 27001. A qualidade é necessária, mas, é controlada por outros meios. Quando vejo solicitação de carta de competência, por falta de diploma de um colaborador, ou obrigatoriedade de apresentação do perfil do profissionaldo colaborador não entendo o que isso tenha a haver com segurança da informação. Entendi errado?