Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Licensing for implementation
I am following the ISO 27001 Implementer course on Advisera. I am planning to offer consultancy services for companies that either need to align themselves to the standard or prepare themselves for the certification. -
Responsible for personnel
I am doing point 05. Methodology of risk assessment and treatment. Here is the first excel document called: appendix 1_ risk assessment chart. -
Defining scope
I would like a small piece of advice if possible. I have been asked to look at an ISO 27001 implementation in my company. We are a global chemical company and have our IT department mainly located in XXXX. We have some additional IT support globally but the majority is in XXXX. I have been asked by CIO if it is possible to scope just the IT Department for ISO 27001, and have been also asked if it would be possible to just scope the IT Department in XXXX (excluding the other global IT support). -
Asset register
I have a question about the Asset Inventory. We don’t use any ISO 27001 software (company’s on the market sell and offer). We have a main system for our company (self-programmed) where each information (for example about the asset: employee) is inside. When I try to fill the asset inventory (template you gave us on hand) how detailed does it have to be? For example: if I have the asset: employee - is it enough in the column „description to the value" to give only the path to our system where you can find the employees, or do we have to list each employee inside the template? The same for workstations? Do we have to list each workstation or it is enough to refer to the place in our erp-system? -
Scope definition
I am currently in the process of certification under ISO 27001: 2013. I told you that we had a first audit (Phase I) by the certifying body, in which some findings arose, one of which was that we did not consider the interfaces and dependencies of the activities carried out by the company and other organizations (Requirements 4.3 liter C) . -
Controls measurement
For our project ISO 27001 we have acquired the document package from you. The two guidelines below list controls that the CISO should perform on a regular basis.Are there any examples and hints how to measure them? -
Toolkit content
Our auditor has asked for a "Information Security Risk Treatment Plan". I do not seem to be able to located it in the template - can you please confirm ? -
Managing information security incidents
I have a problem with a high number of information security incidents. I work in public organization, hiring more than 800 people. Everyday some phishing emails are delivered to their email boxes and some of our employees reporting such events to me. However I have some doubts concerning correct identification of this events. I am not sure if my interpretation complies with ISO 27001. I treat all these phishing emails as information security incidents with low priority , even if particular employees do not open attachments or links to this emails or do not response to their senders (no malware infection or loss of confidential data). I do this way, since I believe the fact, that phishing email successfully delivered and do not blocked by anty-spam filters make a serious risk of data breach, malware infection due to poor awareness of information security presented by our employers. The problem is that I have 3-4 incidents per day. -
Template content
I have a question about the report on risk assessment and risk treatment. -
ISO 22301 audit
Thanks for your advise but I have a small problem , the implementation of ISO 27001/22301 is ongoing in my bank as at today; so , I had already passed my certification as known for ISO 27001 with Digital Jewels certification body but not yet for ISO 22301. I was designated in my company as ISO Auditor . it’s now my responsibility to perform the both audit standards in my company but I not yet passed the certification for ISO 22301. So, I want to passed again to be able to perform these both standard. My question is , how can I do to obtain again that certification.