Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk Assessment
I'm struggling to get my head around one concept on Risk Assessment so wonder if you could help.
I've purchased your Secure & Simple book plus read other valuable information on advisera.com (all really helpful thanks), however, still struggling to find a clear answer on this.
When performing the initial assessment of the risks to an asset to provide the inherent risk level, should this take into account the existing mitigation controls in place, or should all current controls be omitted?
My thinking is an assets threats and vulnerabilities should be determined under current controls conditions, e.g. asset 'a' is an online system containing personal information, the threat could be unauthorized access to PI and the vulnerability could be using shared authorization credentials - but if we have a policy in place that states shared credentials/passwords must not be used, plus User training enforces this, should this be taken into account when scoring the likelihood?
We have a mature security model in place so coming at the risk assessment with a lot of controls already in place. Our risk assessment should be to identify and prioritize those assets with the highest risks which require mitigation.
Might have answered my own question in that last paragraph!?
-
Surveillance audits
1. Does the external auditor have to do complete surveillance for all controls in the SOA the same as the first year of certification?
2. How long does it take to complete the surveillance audit with regard to the initial certification audit duration? -
ISO 27001 objective and requirements
Pelo que li da norma o objetivo é garantir a confidencialidade, a integridade e a disponibilidade da informação. A qualidade da informação não me parece que seja preocupação da ISO 27001. A qualidade é necessária, mas, é controlada por outros meios. Quando vejo solicitação de carta de competência, por falta de diploma de um colaborador, ou obrigatoriedade de apresentação do perfil do profissionaldo colaborador não entendo o que isso tenha a haver com segurança da informação. Entendi errado?
-
Time dedication to work on the implementation project
I work for a StartUp and we develop an android application of XYZ. We are interested in implementing ISO 27001 but we have some interrogations on how much time it takes. Your solution with a tool kit is a very good option because it is cheaper than a consultant and we can't imagine going on the ISO journey alone! During the webinar, you said that for a small organization (we are 2 in the US for the strategic part + a development team of 3 people in India) it can take between 5 and 8 months to implement ISO 27001. Can you tell me in this case with your tool kit how much time do you think the project leader should work on ISO during his week? -
27001 Scope Confusion
Our company is doing a product-specific scope for ISO27001. It's not clear to me how complex this will get to carve out the scope of the product when dealing with internal Shared services.
For example, Corporate IT manage the laptops, office networking, and e-mail accounts of the engineers/administrators of the product. But has no access to the network/servers of the product itself. Compromise of their office networking, laptops, or corporate account may influence the security of the information/system in scope (stealing credentials, exploitation of trust, etc). I know this depends on the auditor, but is it reasonable to state corporate IT process/procedures out of scope but still a dependancy?
Dialing this back though, nobody involved has a formal ISMS, nor a proper framework for policy/procedures/controls.
-
Inherent vs Residual Risk
Considering the initial risk assessment is done taking into account controls already in-place, is it accurate to say that if these controls are sufficient, there should be no change between the inherent and residual risk score? Added to which, are there any circumstances where you would risk assess assuming NO controls? You wouldn't approach a risk assessment for crossing the road with worst-case scenario at the outset, i.e. with a blindfold, earplugs and at rush-hour there is a high probability you will be killed?! That can't be your starting point or all risk assessments would be artificially skewed. -
Accreditation bodies for training providers
I wonder if I can be cheeky and ask your advice, I am looking to study for my ISO27001 lead auditor certification, I see there are a couple of different certification bodies. Would you say the IBITGQ certification holds the same weight as the others or should I look to the others? Thanks in advance for your advice. -
ISO 27001 Implementation Committee
I was hoping to ask you which parts of an organization would sit on the ISO 27001 Implementation Committee for a company?
HR/ Legal / IT representatives / Security personnel for example -
Justification in the SoA
Hi, I have some questions about the "Justification for selection / non-selection" in the SoA:- Some of the Annex A clauses are worded as if they are mandatory; for example, 5.1.1: "A set of policies for information security shall be defined [...]". Is it acceptable to justify selection on the basis that this is a mandatory element of 27001?
- We have multiple risks associated with the same vulnerability (as expected); for example, the vulnerability “inadequate protection from unauthorized access” occurs many times. Is it acceptable to justify on the basis of 'All risks associated with “inadequate protection from unauthorized access”' rather than itemize each risk?"
-
Recommended file/folder structure
Is there a recommended file/folder structure best practice for ensuring quick access to live and most frequently used documents? Is there a recommended resource for templates for Access control matrices, asset registers, etc. for SharePoint / Office 365?