Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Approving the security policies
I have a question on policy documents. Under the new ISO 27001 standard, there seems to be more and more policies needed - e.g. Cryptography, Suppliers policy, etc. Is it really necessary to consider these particular documents as policies per se, or can I consider these as guidelines only? -
Methodology for risk assessment in ISO 27001
Does ISO 27001 define a methodology for risk assessment? Give examples. -
Question on List of legal, regulatory, contractual and other requirements
We are a SaS company with a lot of customers, the most are in ***. To make this a little more complicated, we have Partners selling our product. With these partners we have separate contracts were we have defined the Information security responsibilities. -
SoA and A.16 controls
I've a question about SoA and A.16 controls. I can't justify the implementation of A.16 controls linking them to a specific risk. I think that the implementation of all A.16 controls is related to all risks, because we can use the lessons learned in incidents treatment to reduce the impact or probability of any incident in the future (which could be related to any risk). -
Excluding physical location from the ISMS scope
Wanted to ask for some guidance on the scope. The company is housed in a leased office suite on a shared floor. Would their physical location thus be out of scope? -
Check remote host
Is there any way to check whether the remote host who want to connect to corporate network has up to date antivirus installed ? -
Checklist during an internal audit
Can an external auditor raise a non conformity for not having a checklist during an internal audit? -
Alcance de un SGSI
Hola, estoy haciendo el planeamiento de las actividades requeridas para implementar el SGSI, la duda que tengo es, la empresa para la que trabajo tiene tercerizado TI, es decir, toda la información de la empresa se almacena y procesa en los datacenters del proveedor, así mismo, este proveedor de hecho da todo el soporte al negocio, administración de bases de datos, mantenimiento de los sistemas, resolución del problema, redes, etc. Donde trabajo es una empresa pequeña que solo cuenta con un cuarto de comunicaciones, por lo que en este aspecto, el control lo tengo hasta un router, luego de ahi la información fluye hacia el proveedor. Mi pregunta es ¿en el alcance, solo debo indicar ese router dentro de un apartado de conexiones e interfaces? o debo incluir las instalaciones del proveedor? -
Problems with very narrow ISMS scope
I have a question on ISO27001 scope I was hoping you could help me with. -
Developing a cryptography policy
Could you please send me some tips on developing the cryptography Policy wrt to ISO 27001:2013. We need to apply this domain in our environment hence.