Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Inventory of assets and risk assessment
I am a bit confused about the order of some of the templates and am hoping you can clarify. I am using the templates in the order you suggest (i.e. starting with folder 00), and am just wondering why the Inventory of Assets comes after the Risk Assessment Table. Could you explain why you wouldn't want to list all assets before proceeding to risk assessment? -
Information management
Caso: Una de las Gerencias de un Banco tiene 4 reportes de los cuales uno de ellos es una área especializada que provee información clave para las Ofertas del Banco (scores), dicha área ha diseñado, desarrollado, validado, hace seguimiento, ha generado protocolos de seguridad y es responsable ante cualquier Auditoria (interna y Externa) y ante el Regulador XXXXX, sobre todos los score del Banco y lo ha hecho de esta forma durante varios años. -
Study material
I would appreciate, if it is possible for you to suggest me source of study which can help me Auditing of following areas: -
Legal requirements
There was a law recently enacted that REQUIRES compliance for all organizations with PII. I am about to do IS27001. Will Compliance with the Law be a requirement to pass 27001 certification? Should i work on complying with the law first before doing 27001? -
Requirements from interested parties for working in public places
Hello, I'm trying to prepare the interested parties and “List of regulatory, contractual and other requirements” list prior to defining the scope. It is easy for me to list some interested party requirements when the interested party needs something, such as customers (i.e. they need to protect their information) or government agencies (i.e. they want you to comply with the laws & regulations) etc… But i dont know how to list the requirement when an interested party impacts organizations information security, for example an employee working in a public place and connecting to organizations network remotely, or supporting company personnel connecting to organizations wireless network, or an untrained employee clicking on a link in a phisihing mail etc. -
Controls applicability
I am working in an ISMS-implementation project in a company where the whole IT operations are outsourced to an IT- Company within the same group. Everything related to IT is ordered as a Service, no assets owned (Hardware, applications, Service desk etc.) This Service Provider is also implementing an ISMS. Can we declare the controls e.g. from A.12 as "not applicable" because These conrols are all within the responsility of the Provider? (my opinion.) Or shall we declare them "applicable" and refer to the ISMS of the Provider (opinion of internal Audit)? -
Implementation alternatives
Dear Dejan, thanks for your email. I'm currently project manager for XXXXX responsible for achieving GDPR compliance and ISO 27001 accreditation. If you don't mind I've a question for you. What order would you progress these two projects? GDPR on it's own because of the known date for the regulation coming into force or ISO 27001 accreditation knowing this will deliver an environment which satisfies GDPR? I value your opinion. -
ISO 31000 and ISO 27001
Do you use ISO 31,000 for ISO 27,000? -
Business Continuity Lifecycle document
I have an audit and they are requesting for Business Continuity Lifecycle document. Please advise which document should I share with them according to ISO22301 standard. -
Becoming an auditor
I have worked as a Network Security analyst for 2 yrs 3 months in an IT firm and now i am unemployed since 1 year. I want to resume and willing to work as an auditor. Will my experience count for auditor profile and how do i start preparing so as to become an auditor?