What to do about assets and risks that change after risk assessment
Hi Guys, please can you help advise me here. We have completed the risk assessment and the asset owners are populating the risk treatment table with treatment options. However there was a good number of months between completing the risk assessment and where we are today. As a result the assets have changed in several departments meaning some items in the current risk assessment are not relevant. It also means any new or replaced assets need to be re-assessed.
So the question is:-
1) Do we just delete those irrelevant risks from the inventory of assets, risk assessment table and the risk treatment process, and just deal with the new assets in next year's overall risk assessment?
2) Or do we update those documents according to document control procedures and (i.e. update the asset inventory; risk assessment table to reflect new and removed assets; apply the treatment to the new assets)?
Controls implementation, SoA and audit
Will it be the expectation of our auditor that all of the controls deemed in scope for the SoA will be in place for the stage 1 and 2 audits? Or is there some timescale allowed that controls are implemented during the process?
How master ISO 27001
How to master ISO 27001:2013, what is the reading methodology.. Please guide
Risk process outputs sample
I have purchased your toolkit and it is has been very helpful. I am in the process of implementing ISO 27001 in our bank. What will be of great help to me is a sample risk identification, risk assessment and risk treatment for a bank. I am having a hard time with these processes.
ISO 27001 certification
1 - Can you please advice about the correct pat to follow, and how to get the certification for my services?
Internal Audit Checklist
1 - On Appendix 3 – Internal Audit Checklist for ISO 27001 and ISO 22301 there is evidence column to fill. Based on document template, what can we fill on there column?
Security in SDLC
Are any ISO policies directly related to SDLC (requirements, plan, design, code, test, release) ? We want security testing built into the SDLC. Is it the A_14 Secure Development Policy?
ISO 27001 implementation project
Hi, I would like to create a project so it is clear for the company which steps they have to take and what they should do to get ISO 27001 certified. Can you help me with this?
Risk Assessment and Treatment
1 - For the Risk Assessment and Treatment report, do all of the identified risks have to be resolved/completed prior to certification or does having a timeline of completion okay.