Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Several questions about documents
1. If there are unacceptable risks associated with controls A.10.1.1 and A.10.1.2 (encryption) but we do choose to implement another control for the risk, what could we write in the 'Selection for non-justification'? -
Certification coverage
To what extent will the certification be issued to a corporate entity? If it will be issued to corporate X, will it cover all of its entities subsidiaries and affiliates? Or, should every legal entity needs its own certification? -
Results description
I am currently completing the project plan template and need some assistance with 3.2 - Project Results. You have some great descriptions of the key documentation we will be producing as below: -
Questions about scope
1. If we limit our scope to the datacenter, is it sufficient to ensure the confidentiality, integrity and availability of the data which is in the servers? I assume we don't have to ensure the confidentiality, integrity and availability of the data in WHMCS which is a platform that is being used for support tickets and sales, right? -
Reference documents
My question relates to the information security guideline; point two - reference documents. The comment said: „list here all internal documents of the organization related to this policy, e.g. business strategy, business development plan, strategic risk management, etc.“ -
Developing documents
Do I need to write operating procedure separately for removable of media and disposable of media when I have written guidelines for same? -
Implementing BIA
1. I’m starting based on your “ISO 27001 – ISO 22301” toolkit to implement the Business Impact Analysis (MAO, RTO & RPO by IT service) for the company. We expect the BIA just focus on Business process which rely on IT services (such as internet and network connectivity, file server, application server, database server … etc.) However, I find that the “BIA_Questionnaire_EN.xlsx” different for me to fill. Such as I’m not sure one questionnaire for multi business process with corresponding relate IT services or one questionnaire just for one business process and one IT services. -
Sharing information
I was wondering what is the best way to share externally, ISO 27001 certified if a few customers are asking more details than external certification? Are you aware of what businesses share apart from external certification? Any samples you can share. SOA & Assets that are in the scope of certification does that get shared? Any samples you have -
Questions about toolkit documents
1. A.6.1.4: No requirements (besides law, which is a question mark for me at this moment) or (unacceptable) risks that demand the implementation of this control, I don't think the GDPR requires having a list, but it requires that we report incidents to the Data Protection Authority. Does this mean that it is mandatory to implement this control? -
Documentation and audit
1. I have documented ISMS policy for small organization.How long should I wait to perform internal audit for organization?