Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk assessment on BCP
I'm implementing the BCP, and i'm in the risk analysis phase. the steps I used are : -
Audit results
Can you answer a question for me quickly? Once a stage 3 and 4 surveillance audits are completed, depending on the results what is provided to the organization from the certification body? Do they provide a report stating that they are still in compliance? Or they have nonformities minor or major what are they provided with? How is the company notified of their results? -
Practice for collection of evidence
I have a question about the method for incident management (paragraph 3.7 Collection of evidence). The rules for identification, collection and preservation of evidence - is there any template? (Couldn’t find one). If not would you mind sending me some information about the content of this document? We don’t know how to make the rules. -
ISO 22301 continuity analysis and ISO 27001
To carry out the continuity analysis ISO 22301 is it also necessary to apply the ISO 27001? -
Tool for carrying out security vulnerability assessment
I am looking for a tool that can assist me in carrying out security vulnerability assessment. I am not looking at Security Information. -
Corrective actions and corrections
I have a question about the procedure for corrective actions (paragraph 3.2 corrective actions). In sentence two in this paragraph you talk about the main differences between corrective actions and corrections. Why are you doing this? In my opinion this sentence is totally „out of the blue“ and doesn’t really fit in?! The DIN talks in chapter 10.1 only once about corrections (10.1; a); 1)). Is this the reason why this distinction is necessary? Beside the name of the chapter is „3.2 corrective actions“. Sentence one in this chapter totally makes sense to me but sentence two doesn’t. Beside, if I look at the form for corrective actions (where the procedure is reflected), it only talks about corrective actions. -
Physical controls selection
My company is new and there is no physical entry control device which can restrict any one from coming inside during business hours. Is it okay to go for certification audit without implementing this control as the cost and time for implementing it is way too high ? Or an entry control is mandatory for certification audit ? -
Security requirements specification
I need some guidance to fill in the document 'Specification of Information System Requirements' for the current applications that we're using. Could you provide me with a description of the fields that we have to fill in (in the template) ? E.g., I would not know what to fill in in the field for "Version of existing information system:" as an example. -
RACI chart for ISO 27001 controls
Can you help me in providing RACI Chart for all the ISO 27001 controls to map in my organisation. Basically I have Security Team, IT Operations Team, Development Team, IT head, BoD and employees. -
Documentation retention period
I'd like to know more about the retention period of a company's information security policy. Is there a standard number of years for this?