Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
CISO role
My first question would be, whether it is necessary to always list a job title (e.g. CISO) or whether it is sufficient to list the name of the person in charge for that task. In our company for example we do not have the position of a CISO yet, is it necessary to create this position or can we just stick to the "name, surname"? -
Categorizing information
How to categorize information into levels according to the confidentially? -
Legal & Regulatory Requirements
Taking into consideration the requirements in ISO 22301 clause 4.2.2, how can it possibly be feasible to determine the interests of relevant parties, i.e. clients, of whom there may be several hundred or more who are all likely to be subject to different legal & regulatory requirements, depending on their industry/sector, and who will therefore all have different needs? My organisation has 800+ clients; it can't be practical or possible to assess each one individually?! -
Controls effectiveness review
What are the procedure needed for IT systems that enable us review the effectiveness of the technical and organizational measures to ensure the safety of processing activities regularly ? -
Software tools for BIA
What software tools do you recommend for BIA ? -
Audit procedure and information logging
I need some sample for me to write a Document for a procedure for audit logging including criteria to be logged, do you have any idea or help where i can get this guideline for me to start with. -
Scope definition
I find it hard to comprehend on how to define the scope of ISMS. I will need to help a customer to do an internal audit, but realizing that the company is a multi-national, multi-sectors company, I don't really know how to proceed. -
Filling the risk assessment template
Our company has bought the documentation package for ISO 27001 from you. At the moment we are in Chapter 6 in the Risk Assessment and are currently setting the level of risk. Does the information value about the threat, vulnerability, extent of damage and likelihood of occurrence fall into an area where the risk is initially accepted and monitored, does one have to enter an "existing measure" in the last column? -
Risk mitigation and BC strategy
First I bought Becoming resilient the definitive guide to ISO 22301 implementation, to study for a Business continuity management exam. I liked the book, very easy to understand. But after finishing it and I think having understood pretty well the contents I couldn´t find answer to the question - When are risks mitigated?: ASAP, after the risk analysis or after having implemented the strategies for BC. -
Clarification on Penetration test
Thank you for your continuous service and advise on information security. I have some doubts related to ISO 27001 requirements related to Penetration testing and vulnerability assessment. We are doing vulnerability assessment internally and also doing penetration testing by a third party company periodically. Doing the penetration test by third party company is much better but still is this a compliance requirement for the certification? If its a requirement then can this activity be performed by our sister company?