Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Filling templates
I do not quite understand how to state the clauses in your template. E.g. for Password Policy, A.9.2.1, A.9.2.2, etc where it is being pointed? -
Organizational controls
Hi, doing the ISO 27001 then you get this question: Identify which of the following information security controls are organizational controls: 1. Defining a policy on the use of cryptographic controls – Correct! 2. Implementing cryptographic controls – Incorrect! Implementing cryptographic controls is a technical control. 3. Documenting a clear screen policy – Correct! 4. Training employees how to use cryptographic controls – Incorrect! Training is an HR control. 5. Signing a confidentiality agreement with suppliers – Incorrect! A confidentiality agreement is a legal control. 6. Documenting a procedure for training employees – Correct! 7. Implementing a domain password policy – Incorrect! Implementing domain policies is a technical control. No matter how I answer, then I get it wrong. Why is "Defining a policy on the use of cryptographic controls " an org control? -
Implementation of ISO 27001
I would like to know how to implement the ISO 27001:2013 from scratch in the organization -
Competence evidences for ISO 27001
Regarding clause 7.2 from ISO 27001, what is expected for this? Are we expected to assess the competency of everyone in the organisation? If so is a CBT general security course sufficient to achieve this? I appreciate that as the Head of IS and given my qualifications I have a certain level of competence but what would be expected or "applicable" to all our users? -
Information security profile
In your diagram of ISO 27001:2013 Implementation process, there is milestone called “Develop a security profile of the company”. What does this mean? Is it simply the set of controls that will apply to the organisation in the statement of applicability? -
ISO 27001 and ISO 9001 implementation
Yo iniciaré uyn curso de ISO 9001:2015 para la implementación de la certificación para mi compañía. También estoy interesado en saber como implementar la ISO 27001. Mi pregunta es. ¿Que me recomiendan hacer para estas implementaciones? ¿Primero la ISO 9001 u obtener las 2 certificaciones en simultaneo? -
Information security policy communication
Are we required to have a signed copy of the information security policy statement posted in the office? -
Risk assessment
1 - Regarding Risk Assessment According to ISO 27001 and ISO 27005, I need your proper guidance and applicable methods on how to will carry out a risk assessment on a very high critical infrastructure, say nuclear research institute? -
Security objectives and audit process
1 - I am updating our ISP to include objectives which are measurable, with assigned ownership with relevant processes to manage their delivery etc but could you confirm how many objectives we should be aiming for? -
Sources of requirements
I have a question about the 'List of Legal Regulatory Contractual and Other Requirements'. Can you explain me what a 'Document stipulating the requirement' is? Can you also give an example?