Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Should information security objectives be measurable?
I have a question related to the Objectives (internal audit online course 27001). The course, but also the standard does not clearly distinguish between the 2 types of objectives: general objectives to be included in the top level IS Policy and department/task based objectives. Therefore I have some doubts whether the both types of objectives shall be measurable or not. The way I understood so far (please correct me if wrong), if I am writing a task specific objective it should look like this: ''to reduce the total number of incidents by 20%, by the end of 2017''. On the other hand, if I am including this objective in the top level IS Policy it shall be: ''To reduce the total number of incidents''. -
ISO 27001 for telecommunication industry
I just wanted to know how can i use the ISO standards in the telecommunication industry, like ISO 27011? -
Normal incident vs information security incident
"Want to discuss the ISO 27X definition of a security incident...how can do that? But about the ISO definition of a "information security incident"...in day to day operation, it can be very difficult to distinguish between a "normal" incident and a information security incident. I cannot see, how the ISO definition can help...it seems - at first - a bit vague... Taking at face value, You can start classify ALL incident as security incident... But the definition in accord to 27000 is: "An information security incident is made up of one or more unwanted or unexpected information security events that could possibly compromise the security of information and weaken or impair business operations." -
Risk Assessment Methodology.
What is the basic risk assessment methodology used in ISO 27001? What is FEMA and FISMA? What are all the cases in which a special methodology of risk assessment is chosen? What are all the other methodologies which are being used? Kindly help, TIA. -
Perform the asset register easily
I have a question concerning the Risk assessment: I have already the Asset List and want to match the threats and Vulnerabilities. Like I am using the Lists that you have, but its not easy to do that job. For example for the Asset "Laptop" i have 6 different combinations. My question how can i make my work easier and more effective? Does the ISO27001 requires this level of details? Any Tipps? -
ISO for knowledge sharing
which ISO is applicable for knowledge sharing. I want to secure the knowledge sharing in my department. what ISO should follow to secure Knowledge dissemination. i want just brief description and how it is important in securing the Knowledge dissemination. -
Is Asset register required?
mam find out the asset register is required -
Delay in implementing the controls
The company i work for got certification for ISO 27001 a while back, and as part of the implementation team, during our risk treatment we scheduled most of the controls to a future date to be implemented before the second audit, but the date is passed and the second audit is scheduled for November. I want to know the implications of this and any advice on how to deal with the controls. -
How to treat suppliers that are ISO 27001 certified
We have a data centre who manages our data and they host our Office 365. The office we rent is in a shared building, they provide us with a channel which links us with our Data Centre. They are both ISO 27001 certified - do I class them as suppliers in our ISO 27001? If I do what information do I need from them, what documents do I need to produce and do I need to audit them? -
How to treat an ISMS document that is due for review
How do I treat an ISMS document that is due for review but has nothing in it to be changed or updated. This mostly has to do with the Revision History and Next Scheduled Review Date section.