Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Which clauses must be covered with particular documents?
I’ve purchased the premium kit for ISO 27001 and noticed that the templates have references to relevant ISO 27001:2013 clauses. In many cases, the list of relevant clauses in each template is far more than what is listed here https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/ For example, at the URL above, only clasue A.8.1.3 is listed. However, in the Acceptable Use Policy template found in the premium documentation kit, you’ve listed these references: ISO/IEC 27001 standard, clauses A.6.2.1, A.6.2.2, A.8.1.2, A.8.1.3, A.8.1.4, A.9.3.1, A.11.2.5, A.11.2.6, A.11.2.8, A.11.2.9, A.12.2.1, A.12.3.1, A.12.5.1, A.12.6.2, A.13.2.3, A.18.1.2. -
Risk assessment
In the risk assessment table the likelyhood and consquence totals are before or after including existing controls of today? -
Toolkit support
1) Can you please share the recommended classification of all IS 27001 /9001 documents available in the templates shared. Little confused after seeing the videos-some documents are classified as restricted and some as internal. If you can mention for each documents it will be great. -
Threat analysis
1 - How shall I treat the infrastructure such like the server room in our office? I am asking here because the server room itself does not threaten any information value. Is this asset supposed to be analyzed in the context of the server located there, then it would make sense to indicate for example pollution as threat. But wouldn’t it be redundant when you analysis the server itself and take pollution as threat again? -
Documentation review
We are in the process of revising our documents as part of the Management Review and Continued Improvement. We know that ISO requires an ISMS Implementation Project Plan. Is this document required EVERY time we revise the "policies" or just does the original document just need kept? -
Procedure for document and record keeping
Considering the procedure for documents and record keeping: -
Documenting RTO and RPO
When documenting RTO and RPO for mission critical processes, should both be reported in a band? i.e 0 - 4 Hrs, or should it be reported as 4 hrs. What are the implications for both. -
Policy elaboration
I need information on policy formation for an organization. -
Security in suppliers relationship
In the contract with an external supplier there is nothing about information security but they say that they have an internal security policy with all employees. Is that enough? Or should we write something in the “information security policy for supplier relationship”?