Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Security Audit
i am an IT security expert. I am planing for some security audit projects. But still i am little confuse that, where can i get reporting and audit materials . -
Interested parties and stakeholders
can i use "interested parties " and " stack holders" interchangeably? it is included in ISO 27001 clause 4 under the title of "4.2, understanding the needs and expectations of interested parties" -
Performing Risk Assessment
i work for am organization with more 1500 employees.i wanted to do risk assessment using ISO 27001 risk assessment: How to match assets, threats and vulnerabilities. I wanted to start with the finance department with staff complement of 87 people.How do i go about it -
Privacy and cloud computing security documents
I am working on information privacy protection in a cloud computing environment. Besides the Cloud Security Policy, Policy for Data Privacy in the Cloud, and ISMS Scope Document, what other documents do you think I require? I am working on this from a governance, risk management and compliance perspective. -
Filling templates
I do not quite understand how to state the clauses in your template. E.g. for Password Policy, A.9.2.1, A.9.2.2, etc where it is being pointed? -
Organizational controls
Hi, doing the ISO 27001 then you get this question: Identify which of the following information security controls are organizational controls: 1. Defining a policy on the use of cryptographic controls – Correct! 2. Implementing cryptographic controls – Incorrect! Implementing cryptographic controls is a technical control. 3. Documenting a clear screen policy – Correct! 4. Training employees how to use cryptographic controls – Incorrect! Training is an HR control. 5. Signing a confidentiality agreement with suppliers – Incorrect! A confidentiality agreement is a legal control. 6. Documenting a procedure for training employees – Correct! 7. Implementing a domain password policy – Incorrect! Implementing domain policies is a technical control. No matter how I answer, then I get it wrong. Why is "Defining a policy on the use of cryptographic controls " an org control? -
Implementation of ISO 27001
I would like to know how to implement the ISO 27001:2013 from scratch in the organization -
Competence evidences for ISO 27001
Regarding clause 7.2 from ISO 27001, what is expected for this? Are we expected to assess the competency of everyone in the organisation? If so is a CBT general security course sufficient to achieve this? I appreciate that as the Head of IS and given my qualifications I have a certain level of competence but what would be expected or "applicable" to all our users? -
Information security profile
In your diagram of ISO 27001:2013 Implementation process, there is milestone called “Develop a security profile of the company”. What does this mean? Is it simply the set of controls that will apply to the organisation in the statement of applicability? -
ISO 27001 and ISO 9001 implementation
Yo iniciaré uyn curso de ISO 9001:2015 para la implementación de la certificación para mi compañía. También estoy interesado en saber como implementar la ISO 27001. Mi pregunta es. ¿Que me recomiendan hacer para estas implementaciones? ¿Primero la ISO 9001 u obtener las 2 certificaciones en simultaneo?