Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Questions about scope
1. If we limit our scope to the datacenter, is it sufficient to ensure the confidentiality, integrity and availability of the data which is in the servers? I assume we don't have to ensure the confidentiality, integrity and availability of the data in WHMCS which is a platform that is being used for support tickets and sales, right? -
Reference documents
My question relates to the information security guideline; point two - reference documents. The comment said: „list here all internal documents of the organization related to this policy, e.g. business strategy, business development plan, strategic risk management, etc.“ -
Developing documents
Do I need to write operating procedure separately for removable of media and disposable of media when I have written guidelines for same? -
Implementing BIA
1. I’m starting based on your “ISO 27001 – ISO 22301” toolkit to implement the Business Impact Analysis (MAO, RTO & RPO by IT service) for the company. We expect the BIA just focus on Business process which rely on IT services (such as internet and network connectivity, file server, application server, database server … etc.) However, I find that the “BIA_Questionnaire_EN.xlsx” different for me to fill. Such as I’m not sure one questionnaire for multi business process with corresponding relate IT services or one questionnaire just for one business process and one IT services. -
Sharing information
I was wondering what is the best way to share externally, ISO 27001 certified if a few customers are asking more details than external certification? Are you aware of what businesses share apart from external certification? Any samples you can share. SOA & Assets that are in the scope of certification does that get shared? Any samples you have -
Questions about toolkit documents
1. A.6.1.4: No requirements (besides law, which is a question mark for me at this moment) or (unacceptable) risks that demand the implementation of this control, I don't think the GDPR requires having a list, but it requires that we report incidents to the Data Protection Authority. Does this mean that it is mandatory to implement this control? -
Documentation and audit
1. I have documented ISMS policy for small organization.How long should I wait to perform internal audit for organization? -
Certification body
We are currently looking for a compliance body that would be able to audit us in a short period of time. Can you recommend a few companies? Have you ever heard about QAS International (www.qas-international.com)? If yes, can you tell me if it is a good and reliable company? -
Questions about risk assessment
1. I have go through the document and you are using old version while latest 2013 for the standard and also there will be new update, so could you please help me to understand how we will be able to be align with latest or confirm if there is any changes of latest version and how you help us on this regard by updating or so ever? -
Defining critical activities for BIA
I am finalizing the list of critical activities for the BC and have a question. There is an activity that happens once a week which is CRITICAL on that Monday/Tuesday. So should I include it in the BIA as there are lots of questions around what if the disaster happens after Tuesday... So my answer is what if happens on Monday...? So the real question is do we include it as 1 of the critical activities?