ISO 27001 & 22301 - Expert Advice Community

Home / ISO 27001 & 22301

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Risk Assessment ISO 9001 Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit ISO Product: ISO 27001 Internal Auditor Course
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Questions regarding 27001 implementation

    I have some questions regarding 27001 implementation.

    1 - In the datacentre we run there is a service called Remote hands, in which customers having their equipment there under a regime of colocation, meaning we have no logical access to data, we may do some wiring, etc. I know that other similar companies leave this service out of the scope. I understand this is the correct approach, but can you give me a good justification for this?

    2 - In our Spanish office (not the datacentre) we have a person who is a relative of our boss, whose activity has nothing to do with the company but he acts as a contact person for some administration duties. He shares a connection to the internet with us but we set up a separate VLAN so he can´t access our networks. Of course, he has physical access to all resources in this office. Should we leave him out of the scope or otherwise include him?

    3 - We have an extensive asset inventory that we use to calculate amortization but the woman in administration refuses to give me a copy so I can include it in the documentation. Management is not supporting me with this because this woman is not easy to deal with and no one wants to fight her. Any solution? Is it mandatory to have the inventory as a separate document in the IS system or we can refer to it as it is now?

    4 - Security records. What happens if we don´t have any (as such format) prior to the certification audit?

    5 - Legal requirements doc: should all customers be listed? How often should it be updated then? Can we refer this item to our CRM software?

  • Treatment and management of risks

    Hola, tengo las siguientes preguntas en referencia al tratamiento y gestion de riesgos: me podeis ayudar con la respuesta? Gracias anticipadas!! Pregunta 1. En un mismo activo puedo tener ya aplicado un control o medidas de seguridad existentes y al mismo tiempo,  podre decidir aplicar un nuevo control? Activo: servidor Nivelo de riesgo muy alto Medidas de seguridad existentes: Actualmente ya existe un equipo redundante y en caso de averia, entraría en funcionamiento, falta mejorar la seguridad del CPD donde se ubica el equipo. A aplicar: Aquí es donde debemos aplicar el DOMINIO o el control/ controles? Pregunta 2. Exactamente tomando el mismo ejemplo que en la pregunta anterior, el dominio aplicar podría ser A9, pero únicamente aplicar el control A.92. Es decir, hasta que punto debo concretar si aplico el dominio o el control o los controles necesarios para cada activo?> Pregunta 3. Las medidas de seguridad que la empresa ya tiene aplicadas en los activos críticos, deben especificarse exactamente en referencia a un control o pueden detallarse en el documento, sin relacionarlo con un dominio o control especifico? Pregunta 4. Hemos seleccionado únicamente los activos con riesgo alto y muy alto. Estos activos pueden tener: Medidas de seguridad aplicadas y necesitar aumentarlas con nuevos controles Medidas de seguridad aplicadas y NO necesitar nuevos controles ¿es correcto este? No tener ninguna medida para reducir el riesgo y requiere aplicación de controles. Es correcto?<p> Pregunta 5. Los activos con riesgo resultante: bajo y medio, es aceptado por la organización. Que hay que hacer con ellos? Teniendo en cuenta que únicamente trataremos los riesgos alto y muy alto y aplicaremos controles a estos activos, el resto de los activos, desaparece del tratamiento y gestion? Se trata de un riesgo que se asume pero no se aplican medidas para reducirlo o es necesario aplicar y detallar las medidas para todos los activos, sea cual sea el nivel de riesgo resultante? Pregunta 6. De las 4 maneras definidas para tratar el riesgo, solo aplicaría controles en la opción de aplicar controles, en las otras 3 opciones elegibles, no se aplican controles, es correcto? Ejemplo, activo: fuego en el CPD/ riesgo alto Existen medidas de seguridad para detección de incendios pero no para extinción de incendios. En caso de fuego, la información esta en la nube y no se veria afectada…. Podriamos seleccionar transferir el riesgo a la compañía de seguros por que en caso de fuego, asumen el coste de la operativa? Es correcto?

  • Security Master Plan

    I owe you a lot and thank you for your informative website. I have a question that baffling my mind. What is a Security Master Plan? Is it relevant to ISMS or 27001? Do we need it during Implementation? Could you explain it to me? I always hear in workgroups that where is your Security Master Plan? And I said we implement controls from ISO 27001 and this is enough. Am I right?

  • Studying for certification

    Could you please advise me on the best steps to undertake to obtain the following certifications? Probably, Online studies would suit me best...And I'd like to acquire them in the order specified below: 1. ISO 27001 2. PCI DSS 3. CISM & CISSP

  • Integrating ISO 27001 and ISO 13485

    Do have any advice for implementing ISO27k into an existing ISO13485 certified QMS?

  • Questions about certification

    1. How many organizations implemented ISO 27001 and got certificated?
    2. How long to get ISO 27001 certification?
    3. How much cost for ISO 27001 certification?

  • Business continuity and ISO 27001

    How business continuity management is represented in the ISO 27001 track and if these business continuity practices can be joined with those from other standards (like the BIR 31111 & ISO 22301 ) in order to come up with the best practices for BCM?

  • Template content

    Which of your documents include the step by step process of implementing a business continuity plan after being created?

  • Questions about document management

    I've purchased toolkit for ISO 27001 and right now I am going through various documents.
    1. As far as I understand the offer, the package includes unlimited questions via email, right?
    2. I am looking for areas regarding data retention and requirements from ISO 27001 standards. Does ISO 27001 require a definition of "data retention"? I haven't found any control about it nor template in the toolkit.
    3. Does ISO 27001 require to keep "Records of erasure"?
    4. Does "Records of erasure" are applicable in case of offboarding or also as part of retention of data? Offboarding employee = Termination of Contract with Employee. That means that as part of the offboarding checklist the access is removed and his laptop is "erased" for reuse by another person. With my understanding, that provides enough evidence that device/laptop/asset has been erased and satisfy A.11.2. Is it the right understanding?

  • Career development of information security

    I have over 12 years of experience in ITES in Infrastructure Services including recent 5 year's experience in the eDiscovery domain. I am currently working as an Assistant Manager and would like to move my career to Information Security domain and also seeking for next level position as well in my current org. I would like to know which certification would help me to grow ISO 27001 or CISM.
Page 218 of 544 pages