Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Non conformity classification
6.1.3 f) obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residual information security risks. if this no written information. Minor or ?If a OFI , raised during the previous audit, has not been resolved within the deadline – such a small nonconformity automatically becomes a minor one. -
Auditing single departments
I have 1 questions about the Scope of the ISMS: If I have a large enterprise, with 5000 employees, various systems, software and departments. Would I be able to audit just one department even if we are using the same network, servers and physical location? -
Documentation toolkit content
Una pregunta del paquete de plantillas...Estuve revisando el libro "Seguro y Fácil" y en el capítulo 5.1 habla de "Comprender el contexto de su organización", donde indica que respecto a la documentación es obligatoria: -
Responsible for asset related activities
Who usually do all the steps in a company (register asset into the inventory, perform risk assessment/classify info, label the info)? Is it the asset owner/the one dealing with the information or there is usually a team in a company that specifically deals with these things? Thank you for answering my question. -
BCM implementation
I am currently interested in Business continuity management ISO 22301 and get my self trained for the same. I have been given the responsibility to implement BCM within the company and also I have to work out the following action points -
Scope for a small company with outsourced infrastructure to mother company
We are 9 employees service company and a part of mother company. all our asset (IT hardware, network and applications) belong to our mother company. Employees are employed by the mother company or outsourced by the third party. our company is a contract partner with the B2B customers as we are a service provider to our mother company. We contract with the customer on services which are provided by our mother company. -
Scope definition considering suppliers
When an organisation define the scope as their critical application, information and database. They were defining the exclusion of scope in manual for development/maintaining, and cloud provider. Can they exclude if we refer to Clause 4.3 (c)? Shouldn’t they need to include but assess the risk and definite the relevant control such as A.15 to manage the supplier?" -
SoA availability
I am a little suprised that it is not easy to get to see a certified company's SoA. I was taight in my course that the certification is all about transparency so that your customers can see exactly what controls and measures you have or haven't taken to maximise your information security. -
Scope definition
Our company has different business units in the same building. Some are at the same office room. Can we exclude these business units from the scope, or are we obligated to add them in the scope? -
Employess trainning and awareness
Hi, I'm trying to find out how much employees need to know as a minimum for 27001? I know education and awareness is part of it, but just don't know how much is needed and what needs to be covered