Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 security aspects for logical security
¿Que aspectos importantes de la norma ISO 27001 puedo incluir para la seguridad lógica en una empresa en la cual laboro?
-
Risk assessment and risk treatment
We already have the below-mentioned risk assessment template fields: 1. Main heading- Risk identification- Under this: Process, risk description 2. Main heading - Risk evaluation- Under this: Consequence, Likelihood, risk level, risk accepted( yes/No) 3. Main heading - Risk control- Under this: Existing risk controls, revised consequence, revised likelihood, residual risk after treating, effectiveness of existing controls, Risk mitigation option, Completion date, risk plan implemented ( yes/No/N.A) I would need some clarification for the last field after risk mitigation..i.e., risk plan implemented ( yes/No/N.A) Please clarify that in a high-level risk and a low-level risk should this option Yes/ No or N.A" -
ISO 27001 implementation and budget
I'm working for a university project, the subject is to price the security of a company whose main business is to give advice on cybersecurity. This company is located in 6 different nation (XYZ) with a total of 740 employees with the HQ in XYZ. I m aware that ISO 27001 is a main criteria today for a company because it can provide you some guidelines on what to protect and allows you to gain the audience thanks to the certification. But my main concern is to understand how to implement it?
Where should I start with this certification, I mean I have a budget of XYZ USD and the main focus should be the protection of the confidential data. By seeking information on internet I can not gather enough information on the budget that I should enable for the company.
-
Filling template
I got IT security Premium template. I don't understand a part what should I write in it.
Connecting to communication networks and data exchange must reflect the sensitivity of data and is performed [specify how this is technically implemented, or make reference to a document defining the process] this point in the A8.2 IT-Security Policies.
I would like to know what it is about exactly. What should I describe there?
-
Information security risk management and internal audit
1. I purchased your Risk Assessment Table and Risk Treatment Table. I have completed this phase of the planning for our ISO Certification. Now, once I have filled out the excel Spreadsheets does that count as my "Risk Report" for purposes of satisfying the mandatory document for Certification audit?
My next step is the SOA correct?2. What course do you recommend so I can be prepared to do an internal audit and improvement for the ISMS for my company?
-
Expanding scope
We did the certification audit last year on one function (customer support) and got the 3-year certificate. Since then we bought a company and would like to expand the scope to include the new company and also additional functions across both functions. do we need to 'start over' and recertify or is it possible to do the surveillance audit for year 2?
-
Data capacity and information security
Do you think Data Capacity has impact on C, I & A? explain in detail, please
-
Threats to network assets
Can someone please help me with the below subject? Potential threats to Routers, Core-Switch, and firewall -
Defining the implementation approach
We are an advertising company with many own entities (we call them agency). Some of them reside in the head office where we provide shared services to them (IT, HR, Finance) and some reside in their own buildings but still use our shared services.
Usually, our clients send us a questionnaire before signing a contract to ensure how we process, store and remove their data upon their request. This process has become overwhelming for us and the management has decided to implement ISO 27001 for the company as it addresses all our clients concerns as well as an extra assurance for our own information security.
Our initial thought is to get certified for the head office and only include our shared services in the scope and other businesses apply for their own certificate later by appointing us as their supplier and SLAs in place, however it may not be a good approach as some of our businesses residing in other buildings have more urgency to get certified.
If we apply for the head office, we are talking about 1300 employees and xyz sites in xyz cities, while nationwide we have 2000 employees and xyz sites. Speaking of sites, there's another concern for us as our backup every night replicates our data to other cities offices, so I assume even if we define the scope for the head office still our data is in other sites will not address clients’ concerns.
It would be great to have your input on the following questions:
• What would be the best approach for us to get certified for ISO 27001? Self-implement, consultant?
• Is the initial defined scope practical in your expert opinion?
• Are your templates and services applicable to our company as it's designed for small and medium corporate? -
Auditing suppliers
¿Cómo puedo hacer un comunicado a mis proveedores informándoles de que estoy implementando un SGSI y que en fechas posteriores estaremos haciendo auditorías a proveedores?
¿Tendrán algún ejemplo?