ISO 27001 & 22301 - Expert Advice Community

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Certify cloud computing environment

    It would be great to provide insight on certify cloud computing environment.
  • Obtain the management support

    Are there any silver bullets which are guaranteed to gain attention, recognition and resources from C suite execs (apart from a breach!!) regarding Information Security?
  • Comply with clause 9.1

    I am struggling with this portion of the 27001 standard. I have setup and pulled together the goals and objectives for our organization but seem to keep hitting a wall when trying to identify how to meet this clause. Do you have any samples / examples that may be able to help me move this forward?
  • Creating two separate password policies?

    We are developing “password policy” now and have question about it: There is only password policy for users among the templates. Is there any requirements by ISO 27001 for separate password policy for privileged users (like admin, root and etc.) or we can combine them?
  • How to do risk assessment on sample of assets

    Could anyone please sugguest / advice how can we do Risk assessment on sample of assets, as there are 30 firewall (critical), so does it mean that we need to cover all or we can do it separately.
  • Effectiveness of security controls

    Assessing a risk is sometime we assume that a particular risk may happen. So we determined some control measures. But that risk is not commenced yet. That was just a probability . In that case how can we measure the effectiveness for that risk control we took to reduce the risk.
  • Intellectual Property Rights

    Could anyone please share some of requirement related to IPR? How can organisation comply with A.18.1.2. What external auditor will check at the time of certification audit.
  • Assessing the residual risk

    As a part of risk management, after determining the control measures for an identified risk which is not happened yet, how we can review the effectiveness of the control measures for that particular risk
  • How to identify assets

    how to identify the assets? to assess risks using old assets-threats-vulnerabilities method. It is done for each control? in other words, we identify assets for each evaluated control during an audit? The current 2013 revision of ISO 27001 doesn't require such identification but assessing consequences, likelihood and method of risk calculation, are the same?
  • Violation of the ISO 27001 certification

    What happens if i have and declare that i am certified by 27001 or 27018, companies come to me and get service from me but during that time i do violate some of the obligations take place in 27001 or 27018? Am i responsible by any legal sanctions or do i only loose customers/reputation?