Quantity and quality of ISO 27001 documentation for certification audit
I have a question about certified process ISO 27001. I got the list of documents and register mandatory. However, I want to know your feedback regarding certified process. An certifier could evaluate the quality of these documents and register? Or only he evaluated the completeness and quantity? I always have had this question. The process wants both things?. what should I have in consideration for this process?
Query regarding Server access and related Risks
One of our customer is asking access to Server to access source code. Our Networks team suggested opening Port 22 to give access to servers.
Wanted to understand the Risks with this approach and is it good practice to give access to source code.
Is clause 7.2 Competences of personnel mandatory in ISO 22301?
I have been reading your book Becoming Resilient. ISO 22301 . and I am enjoying it but I have a doubt: Why is in List of mandatory documents the clause 7.2 Competences of personnel? I believe the 7.2 clause is non-mandatory because it is within Awarness and Training Plan. I checked it and also the 7.2 clause is in non-mandatory list. Which is the reason for this clause being in two lists?
ISMS scope in Quality Manual
Does ISMS scope document should have own document or can combine with quality manual if they have already implemented ISO 9001.
Assessment of processes
I am actually assessing some processes in our ISMS, Can you please help me with some questions to ask or some Threats/vulnerabilities comprimising the availability, confidentiality and integrity of a process?
Information security incident managment Categories
There are several categories of Information Security incidents management related to IT, e.g. :
-Denial of service attack
- Illegal use of software
- Malicious code
I'd be grateful if you can list me some of IS incident categories other than IT security incidents, for example:
- Physical interference in secure areas
- Loss/Theft of laptop ...
Thanks in advance
Secure system engineering principles
clause A.14.2.5)Dear Dejan,
could you please tell me what document or action should I prepare for the Secure system engineering principles (clause A.14.2.5) ?
Thanks in advance
connection between BCP and security
Dear Mr. Kouti?,
our CISO and Organisational Officer both see the close connection between BCP and information security in 27001 Standard. The question is whether to put CISO and BCP together in our organisation (perhaps in Compliance) or not. Do you see the connection between them in 27001 Standard and where (how to argue that) ? I work in a financial institution (bank).
Thank you in advance and best regards!
Statement of Applicability & auditor's comments on effectiveness of controls
I have just watched the tutorial video on "How to Write ISO 27001 Statement of Applicability" and noticed that there wasn't a column for the certification bodies' opinion on the effectiveness of the applicable controls. According to the tutorial video this is not a mandatory field. Where then does the certification body document their opinion on effectiveness of each of the controls?
Secondly, can the certification body issue certification if there are any weaknesses in how way some controls are implemented or must they all be 100% effective.
How does IT complete a BIA
In a banking environment, the IT Dept.'s major role is to provide support to the network and their RTOs are for the most parts driven by those of the branches and units they support. In light of this, what is the best approach for an IT Dept in completing a BIA questionnaire? Where should their head space be when completing this questionnaire?