Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Segregation of duties
hello, we have your templates we bought last year. We just went through stage 1 and they highlighted that we are missing a6.1.2 segregation of duties. I wondered which template/document that was addressed in, perhaps I removed it or simply didn't fill in that section -
Applicability of control A.14.1.3
In my Company, we don't have online financial transaction and have some web applications. Is A.14.1.3 Applicable? -
Asset owner and risk owner
Cual es la diferencia entre propietario del activo y del riesgo? -
Information labelling
In the Information Classification Policy under the Information Labeling section there is a statement that one should display the confidentiality level in applications and databases on the system access screen. We are having a hard time putting this into practice for let's say a database being accessed through a 3rd party tool like pgadmin or other 3rd party software where we do not control the appearance. -
Cyber Security Policy
I work in XXXX with one of the Financial Services Organization. We are working on improving our Information Security overall and surely enhancing policies/plan and controls too. My management is expecting Cyber Security Policy also to be written separately along with Information Security Policy. I know that Cyber Security Policy is a subset of Information Security as Information Security covers all aspects of Cyber Security too. Is it advisable to write a separate Cyber Security Policy document even though we already have Information Security Policy document available ? If yes, what are the points to be taken care in Cyber Security Policy. Please provide some guidelines on it. -
Scope definition
Can purchasing be excluded in the Scope? -
Information security policy content
We have comprehensive information security guideline ,well if this is sufficient for ISO 27001 mandatory document or do we need to have separate information security policy? can our information security guideline is enough for showing it as information security policy? -
Non conformity identification
In an audit I have found, within the Active Directory, a group of users called USUARIOSADM, made up of people with different responsibilities (Managers, Proyect Managers, Analyst) and all of them have permissions of administration in development servers and test servers. I think there is no correct segregation of tasks, nor of environments. Am I right? -
Non conformity classification
6.1.3 f) obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks. if this no written information. Minor or ?If a OFI , raised during the previous audit, has not been resolved within the deadline – such a small nonconformity automatically becomes a minor one. -
Auditing single departments
I have 1 questions about the Scope of the ISMS: If I have a large enterprise, with 5000 employees, various systems, software and departments. Would I be able to audit just one department even if we are using the same network, servers and physical location?