Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 certification
I have a question on ISO certification. If I plan to use common control framework during planning of security program consisting of NIST CSF core, NIST 800-53, ISO 27002 k, GDPr etc.. then in future can organization certified with ISO 27002K? -
Physical access control
Please I'll be needing your clarification on a particular ISO 27001 control A11.1.2 Physical entry control. -
Inputs for risk assessment
As per my knowledge we first list ALL the information assets and based on evaluation of CIA (rating of medium/high/VH), we proceed performing Risk Assessment. However as per ISO 27k:2013, the trigger for identifying risks starts from extracts of internal and external issues while documenting scope. Can you please explain if I should consider both extract from BIA(medium/high of CIA) + Trigger from Internal issues and external issues for Risk Assessment or otherwise? -
Licensing for implementation
I am following the ISO 27001 Implementer course on Advisera. I am planning to offer consultancy services for companies that either need to align themselves to the standard or prepare themselves for the certification. -
Responsible for personnel
I am doing point 05. Methodology of risk assessment and treatment. Here is the first excel document called: appendix 1_ risk assessment chart. -
Defining scope
I would like a small piece of advice if possible. I have been asked to look at an ISO 27001 implementation in my company. We are a global chemical company and have our IT department mainly located in XXXX. We have some additional IT support globally but the majority is in XXXX. I have been asked by CIO if it is possible to scope just the IT Department for ISO 27001, and have been also asked if it would be possible to just scope the IT Department in XXXX (excluding the other global IT support). -
Asset register
I have a question about the Asset Inventory. We don’t use any ISO 27001 software (company’s on the market sell and offer). We have a main system for our company (self-programmed) where each information (for example about the asset: employee) is inside. When I try to fill the asset inventory (template you gave us on hand) how detailed does it have to be? For example: if I have the asset: employee - is it enough in the column „description to the value" to give only the path to our system where you can find the employees, or do we have to list each employee inside the template? The same for workstations? Do we have to list each workstation or it is enough to refer to the place in our erp-system? -
Scope definition
I am currently in the process of certification under ISO 27001: 2013. I told you that we had a first audit (Phase I) by the certifying body, in which some findings arose, one of which was that we did not consider the interfaces and dependencies of the activities carried out by the company and other organizations (Requirements 4.3 liter C) . -
Controls measurement
For our project ISO 27001 we have acquired the document package from you. The two guidelines below list controls that the CISO should perform on a regular basis.Are there any examples and hints how to measure them? -
Toolkit content
Our auditor has asked for a "Information Security Risk Treatment Plan". I do not seem to be able to located it in the template - can you please confirm ?