Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Asset handling in risk assessment
Thanks for the support and information you are giving us. I am now doing the risk assessment and I have a question for you. So we have different Asset owners and let's say they all have laptops. So do I need to put every laptop and its associated risks, threats, and vulnerabilities or I just categorize it as laptops?
-
Developing multiple Disaster Recovery Plans
Our company has a complex IT-infrastructure and various RTOs. We, therefore, need separate disaster recovery plans. Are there templates when you need to work more differentiated?
-
Handling of requirements
What to do with the demands of standard that have long since been overcome. You know what I am thinking.
-
Impact level in specification of security requirements
In which document is my question: "Specification of safety requirements“
In which area: "Impact level according to the risk assessment:“Question:
In our risk assessment table, we didn’t list each information system, we worked with categories like "application software" or "workstations“. Information systems can occur in both categories. Both categories have multiple threats, vulnerabilities, and therefore impact levels. In this case, how is it possible to determine the impact level of the individual information system in the "Specification of security requirements“ based on the risk assessment table?" -
ISMS scope change
1. If a company has been ISO27001 certified over the last couple of years and the scope is for say Datacenter facility Mgt/Infra/Network Services, Managed Security Services, Operations Support - covering server, Helpdesk, etc and now due to changes in the organization, say, one of the area MSS has been moved to a centralized function under their regional HQ, is the existing ISO27001 certification still valid? 2. If not why? If yes, why? 3. What can be done to minimize a recertification? 4. Can a surveillance audit still proceeds? -
Roles and responsibilities for infosec management
What I’m missing from the toolkit, are the roles and responsibilities for infosec management i.e. the A.6 organization of information security. It does not say anything about key roles and responsibilities for ISMS. And that’s what I’m after. To me, the package looks incomplete. -
ISMS implementation
1. Estamos iniciando un proyecto de implementación de una SGSI , se decidió trabajar con personal interno , nuestra consulta es si con el " Paquete Premium de documentos sobre ISO 27001 e ISO 22301", es suficiente para implementar una SGSI sin tener experiencia previa ?
2. Existen certificaciones para ser auditor de ISO 27001? Cual nos recomendarías ? -
Raising a Non Conformity or Observation in Internal Audit
Hi
I am managing ISMS and as per the standard and as a continual improvement I have to perform an internal audit for ISMS. An internal audit dept is performing an internal audit. I need clarification in understanding when an auditor can raise an NCR(Minor) and when he can raise an Observation? Suppose I say that since I am certified by an external auditor and I have passed a certification audit by complying with all the mandatory requirements of ISO 27001, you cannot raise an NCR for my ISMS but only can raise Observation.
So am I correct, or internal auditor can still raise an NCR for me?
Please advise
Thanks -
Template content - Access control policy
Hello, where is my question inside the Access Control Policy: chapter 3.4 Management of special rights Question: The business and security requirements for access are defined in the „Directory for Risk Assessment“(?) I don’t understand this. Can you explain that connection to me, please? -
Starting ISMS implementation
I would very much like to start with the implementation, but I do not know how to best communicate the topic to the customer.