In the Risk assessment exercise, as SaaS provider, we are quite focused on protecting PII and other customers data.
But I was wondering whether the customer itself could be considered as an asset for the ISO 27001 certification.
For example, a threat would be "losing customers" and the vulnerability would be "not being able to guarantee SLA in Incidents management".
Would it be something to consider for our ISO 27001 certification ?
ISO 27001 Certification Data
My queries: (1) How many Months of Data/Records of implementation is needed for the ISO27001 Certification,
and (2) What is the usual Timeline for the ISO27001 Certification from preparations, training, Stage1, Stage 2 Certification.
ISO 27001 Staff Security Awareness
Good Morning. I hope that you are able to answer a question for me please. Control A.7.2.2 states that "All employees of the organisation and, where relevant, contractors shall receive appropriate awareness education training and regular updates in organisational policies and procedures, as relevant for their job function."
We are a small Company and currently deliver IT Security Awareness sessions via in person presentations once or twice a year. The attendance is mandatory and captured to provide evidence of provision. Are you able to advise please if this would be sufficient to satisfy an ISO 27001 audit or would the frequency of this training need to be increased and/or delivered through something more formal, such as an online training portal, with a test at the end of each session. Thank you in advance for your advice.
ISO 27001 measurement and Monitoring
I have some thoughts around the measurement and monitoring part of the ISO 27001 framework.
1. Is it the controls from Annex A that needs to be monitored and measured, or also other parts of the ISO standard?
2. Is the measurement part mandatory for all controls or can we somehow motivate which controls that we choose to measure?
3. How detailed does the measurement need to be? Can the internal audit be enough as a method for measurement or is this too non-specific?
ISMS Policy vs Information Security Policy
Are the ISMS Policy vs Information Security Policy the same or different polices?
Need Process Owner's presence during audit?
I have a few questions:
1. Do we need the process owner's presence to front the auditor(s)?
2. Why is the presence of the process owners important during the audit?
3. Who should be in the audit session with auditors? and Why?
SOA Table ISO 27018 specific controls for processing Personally Identifiable Information (PII)
The ISO 27018 table in the Cloud Toolkit SOA are completely wrong in terms of clause ids. when mapped to the standard. This is a mess. Are the references in the toolset documents for the 27018 clauses wrong too ?
Can you please fix asap. I need a table of which of your documents that map to the renumbered clauses in ISO Standard.
Question - ISO 27001
Hello – I am a partner with you and have the following situation I hope you could advise on…..
I have a client who has 1 Director and no employees, and he uses Contractors (Suppliers) to perform all the work for him – and he is looking for ISO 27001 certification
His business is a website registration system, and it is mostly Software/website development.
1. How do you put in place HR systems when there are no employees ? Would this be more about Supplier management ? and supplier worker management ?
2. With Software Development - Would they either: (a) require suppliers to follow his requirements or ISO Compliant software development manuals. OR. (b) require the subsidiary to produce there software development manual (which meets the requirements of ISO 27001) – which he approves?
I hope you can advise?
ISO 27001 implementation requirement
The instructor has mention that "conducting the risk assessment is in plan phase? which is an actionable and more to be in Do phase?
Can private hardware used for business purposes be excluded from the scope?
A question has arisen regarding the documentation toolkit for ISO 27001:
Under what circumstances may private hardware used for business purposes be excluded from the scope - is this allowed according to ISO 27001, 27017 and 27018?