Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Cloud security controls
I was wondering what is the best way to include cloud controls.. we are in the process of ISO 27001 and some of our operations / products are in cloud.. do we need to look at 27017 ? For ISO 27001 certification , is that enough , do external auditors look for 27017 for ISO 27001 certification for services in Cloud? -
Who should access risk management documents
Who in the company should have access to the SOA and the Risk assessment and the risk treatment tables? Is this something that is okay for internal use? Can all employees have access? or only managers? or only certain people? -
Defining the scope of ISO 27001
We are working to become ISO 27001 compliant. Please suggest how should I define the scope of ISO 27001 ? -
Incident management procedure - treatment of minor events (3.3)
In chapter 3.3 the document talks about logging of minor events. Are we able to use the list of incidents to log the minor incident (when it happens the FIRST time)? Chapter 3.5 (learning from incidents) talks about adding minor incidents in the incident list after it happened twice. Would we be able to add minor incidents in general into that list or just minor events which happened twice in a specific period of time? If we aren’t able to fill it with both, do we have to make a separate list for chapter 3.3 „treatment of minor incidents“? A separate logging list I mean. -
SoA - A.6.1.3 - Incident Response Plan
Does the documentation toolkit (with 43 documents) include a template for an incident response plan? I couldn’t find it. Do we definitely need a document like that to get certified? The package we bought said it includes all of the necessary documents. If we don’t use this document which documents shall we use to fulfill control A.6.1.3? -
Are Annex A.11 controls mandatory?
My question is regarding the Annex 11 Physical and environmental control from the ISO27001 standard, whether there is mandatory requirement to have internal or outsourced physical security (human) in the company building? Or this control is implemented based on the company risk assessment. -
Ensuring contractual and regulatory requirements are met
In the course ISO 27001 Foundations. What does this mean please, when it says you need to ensure that contractual regulatory and legislative information requirements are met? -
Business continuity documents for ISO 27001
Toolkit folder 17 consists a disaster recovery plan. Is this plan enough to represent Chapter 17 of ISO 27001? -
Duration of the ISO 22301 review
ISO 22301:2012 is in Review phase and will be revised with a new version. I would like to know how much time will it take for the standard to be revised? -
Documenting disciplinary process
How do we have to represent control A.7.2.3. I saw it in the document „method for incident management“ (point 3.6). Do we have to make a process flow chart and put it in a blank template? There is no template in your documentation toolkit (for $ 797) about it, am I right?