Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27017, ISO 27018 and certifications
So v2013 is pretty much fully evolved. But it needs a new sentence - Ensure your cloud provider is certified to 27017 for security and 27081 for privacy? -
Roles and responsibilities
Would you have an template for this Definition of security roles and responsibilities A.7.1.2, A.13.2.4 -
Segregation of duties
hello, we have your templates we bought last year. We just went through stage 1 and they highlighted that we are missing a6.1.2 segregation of duties. I wondered which template/document that was addressed in, perhaps I removed it or simply didn't fill in that section -
Applicability of control A.14.1.3
In my Company, we don't have online financial transaction and have some web applications. Is A.14.1.3 Applicable? -
Asset owner and risk owner
Cual es la diferencia entre propietario del activo y del riesgo? -
Information labelling
In the Information Classification Policy under the Information Labeling section there is a statement that one should display the confidentiality level in applications and databases on the system access screen. We are having a hard time putting this into practice for let's say a database being accessed through a 3rd party tool like pgadmin or other 3rd party software where we do not control the appearance. -
Cyber Security Policy
I work in XXXX with one of the Financial Services Organization. We are working on improving our Information Security overall and surely enhancing policies/plan and controls too. My management is expecting Cyber Security Policy also to be written separately along with Information Security Policy. I know that Cyber Security Policy is a subset of Information Security as Information Security covers all aspects of Cyber Security too. Is it advisable to write a separate Cyber Security Policy document even though we already have Information Security Policy document available ? If yes, what are the points to be taken care in Cyber Security Policy. Please provide some guidelines on it. -
Scope definition
Can purchasing be excluded in the Scope? -
Information security policy content
We have comprehensive information security guideline ,well if this is sufficient for ISO 27001 mandatory document or do we need to have separate information security policy? can our information security guideline is enough for showing it as information security policy? -
Non conformity identification
In an audit I have found, within the Active Directory, a group of users called USUARIOSADM, made up of people with different responsibilities (Managers, Proyect Managers, Analyst) and all of them have permissions of administration in development servers and test servers. I think there is no correct segregation of tasks, nor of environments. Am I right?