Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Compliance with ISO 27001
1 - I had gone through the documents and I am still trying to understand, how to identify which all policies are mandatory / important / least important for making an organisation ISO 27001 compliance ready and what all actions to be taken to ensure ISO certification compliance ready. -
Risk assessment methodology and assets inventory
1 - He mirado los 16 puntos que se tienen que seguir para la implementación de la norma 27001 y dentro de esos hay uno que dice definir la metodología de evaluación de riesgos, la pregunta mía es ¿Qué metodología recomiendan a utilizar? (I have looked at the 16 points that have to be followed for the implementation of the 27001 standard and within those there is one that says define the methodology of risk assessment, my question is What methodology do you recommend to use?) -
Risk assessment methodology
1 - Is it imperative that we have to first decide the methodology of risk assessment, whether to go with qualitative or quantitative and then apply it across the organization? or we can apply both methodology as per our requirement? -
Management support and approval for an ISMS
As i understand, 27003 says that you need to clarify organization priorities, list interested parties, define the scope, prepare the business case & project plan for management approval and then get management approval. But the Appendix G section of your book (also chapter 3) puts 'obtaining management support' at the top of the work and explains that i need to present ISMS benefits to the management and get formal aproval. -
Certification benefits
My organisation is non-IT and we are already ISO 9001:2015 certified, Now client want us to be certified in ISO 27001. But that certification is not beneficial for us in future as we are non -IT company. Can you please advise whether we should go for this certification just because client is asking or it has future benefits. If not necessary then what reply can be given back to client,. -
How many threats and vulnerabilities to display
I've got another question about the ISO 27001 Risk Assessment Table. In this table, should I only focus on the threats and vulnerabilities that are likely to happen, or can I include every possible option? How wide can and should I go? Because in the example I have seen on the video tutorial, you used 'flood' as a possible threat, which is very unlikely to happen I suppose. So does it matter if / is it necessary that I include all possible threats with a likelihood score of 0? -
External auditor questions
Do you have a list of sample questions that the external auditor might ask? -
Acceptable use policy and telework
1 - Can I refer to for example the ‘Acceptable Use Policy’ as an existing control to prevent the theft of a smartphone (with company information on it) of an employee? Or do I have to mention this in the Risk Treatment Plan? -
Risk acceptance
Hello, in a recent time we had a discussion within the software development team. As you know, A.12.1.4 control forces us to separate development, test and live fields. However, for some development tools, it is not possible to separate them. Also, some projects forces us not to separate them all. In this situation, can there be an exclusion for not to implement this control? What can be the metrics to implement and not to implement this control? Thanks for your help. -
Risk assessment and treatment
We are using your toolkit for leading an organisation through certification.