Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Clarification about controls of ISO 27001:2022
IRCA circulars and publications refer to controls of this standard with prefix “A.”;e.g. A.5.34, A.7.1 etc. This was the practice in ISO 27001:2013 also.
The 2022 release of the standard itself refers to them without such prefix. I would like to refer them with the prefix as otherwise controls like 7.1, 8.2. 5.3 etc may be confused with corresponding clauses.
Is there any other logic in favour of referring the controls with prefix “A.”? While browsing the internet we see that both styles are being followed.
-
Questions about toolkit templates
1. In document 04-Information Security Policy, the item "4.4 Business Continuity" of the document index does not appear in the body of the document, please indicate if we remove this point from the index or you send the text of the missing part?
2. For the appointment of the security officer and security committee, do you have a standard document that allows us to carry out the board of directors minutes for the appointment, and the appointment of the role or position to the corresponding person or if this is going to be a external entity that provides the consulting service?
-
Internal audit section of ISO 27001:2022
This might come across as a silly question, but in the project checklist in the ISO toolkit, there is a section dedicated to operating and monitoring the ISMS. What actually needs to be completed under this process, just so I'm very clear and able to advise the project team?
-
ISO 27001 Internal Auditor Course Question
Wrt the Q/A listed below. I cannot see the relevance of the Question to the section being discussed Module 9 "Document Review"
Document review - quiz question
Not sure I follow the answer (2) to this question in context of Document Review
Q: When performing the document review you must take into account:
1. Only the context of the organization, including its size and complexity. – Incorrect! These are not the only elements that should be considered when performing the document review.
2. The risks and opportunities associated to the context of the organization. – Correct!
3. The clause order of the ISO standard, so you can follow the exact sequence during the document review. – Incorrect! It is not mandatory to follow the sequence of the clauses of an ISO standard, you must follow the sequence that you believe is the most efficient and effective.
4. All the above. – Incorrect! a) and c) are not correct statements.Please explain
-
Risk Assessment Question
At *** we are currently working on our first Risk Assessment and as it's a complicated process, we do have some questions.
1 - Following the steps, we first identified the assets and asset owners.
It was quite difficult given the fact that for the same asset, we may have different asset owners.
Should we keep them in separate lines? It's highly possible that there will be a different Risk Owner.
2 - Our company develops software and has many different applications. Therefore, the Category of Applications & Databases is quite long (42 lines!). We are trying to merge them as much as possible but struggle because we don't know if and how risky it will be to group them (since there are different asset owners).
For a company of 50 people, we have gone too deep and need to get out before we proceed.
Should we merge per name of asset?
3 - Should we take into consideration the asset owner?
4 - Can we have more than once the same 'name of asset'?
5 - Given that the company is relatively small, our CEO can also be an asset owner besides the risk owner. As 'asset owners' we recognised all those who have access to a document, application, infrastructure, is that correct?
6 - In addition, our company is located in 2 different countries with only one of them being in the scope for certification. The other (recognised as a subsidy) will fully adopt the policies and actions of the mother company. That's why we implement the Risk Assessment and in general the ISO implementation simultaneously. All decisions derive from the mother company and the subsidy has an Office Manager who will probably be the Risk Owner for most of the assets in his country-responsibility.
Some of our assets are doubled for this reason, for example: Office rooms in country A (one asset) & Office rooms in country B (second asset).
Would you consider it 'too much'?
7 - Would you do a screening of our risk assessment table once it's done (Assets, Threats, Vulnerabilities, Risk Owners, Risk Identification)?
-
ISO 27001 Risk Register
We are currently working on ISO 27001 project in our company.
We are using your Conformio to do it.
We have one question about the Risk Register we thought you might know the answer.
In short, our company is offering IT Support services for other companies.
My question is this,
We keep our servers in a Datacenter which is hosted by another company. So, they manage the security of this location.
However, there are risks associated with the Datacenter that we need to be aware of.
For example, that our former employees’ access to the Datacenter is terminated.
Or that the Datacenter is protected in a way that we can accept.
Basically, we can’t control the security of this datacenter, but we need to be aware of the risks.
So, can we include the Datacenter to our Scope if we can’t truly manage it?
-
Training Register
I can deduce that Conformio provides a register to record all training requirements for individual employees or employee groups (the Trainee name need not be a person). The date is just the date when the new training is created. After the training is created, I just need to update its status as it progress until it is “Performed”. The PDF report will just show all the training records created with various statuses, which is not very helpful.
I thought that ISO 27001 requires that we have an annual training plan for the company and Conformio is not doing it for us? Please advise.
-
Did ISO 27002 have any update between v2013 and v2022?
Did ISO 27002 have any update between v2013 and v2022?
If so, what were the numbers/dates, please?
-
Queries on Risk register
Another question I have is regarding the server portion of the risk register, which is found, for instance, in IT and communication equipment. How should this part be defined from a general standpoint? We have added several assets that were relevant to our organization; for example, we have added AWS Infrastructure, Google Infrastructure, Office IT Infrastructure, and Microsoft Infrastructure. Would you kindly help us with this? Therefore, do we need to define this as an infrastructure as a whole or do we need to add different assets that are applicable to the organization?
Another issue is that third-party off-the-shelf applications are available for software and databases in a Risk Register. Since we use third-party programs like Phabricator, Microsoft Office 365, container hosts, virtual machines, containers, Jenkins, and virtual machines (Windows), we must decide whether to define each one specifically or to categorize them in general terms with a single category as Infrastructure. Could you please explain to me how we should define?
Could you kindly let me know if we need to define different categorized products with Assets and then specify with the vulnerabilities associated to that specific asset in the Risk register for internally developed software?