Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Policies details
I'm having on how to rewrite our internal policies so that we can get ISO27001 certified. The main issue I'm having is deciding how detailed our policy needs to be. Basically, what are the minimum requirements to achieve compliance? For example, ISO27002, 11.2.8 unattended user equipment. We already automatically lock workstations after 5 minutes through group policy. Is that enough to comply with part a)? I'm worried that if I make the policies too detailed, we won't be able to have evidence for everything and we'll get struck with a non-conformity when we fail to present evidence. Going off the same example I gave you, is it simply showing the auditor that we've configured our group policy to do that enough evidence? Or will they ask for evidence in the form of logs? Something else that interests me is how to deal with remote employees when rewriting our policies? How do we enforce a clear desk policy if they're working from home?
-
Audit point
The auditor has indicated that there are a number of 2021 policies where we cannot demonstrate per date stamping in Conformio that the policies are valid/current in 2022. we don't want to change anything in the policies (e.g., information security policy), but how can we demonstrate that an older policy is still valid in 2022 given it is date stamped 2021.
-
Risk Management Questions
We received this question:
Me pueden ayudar con la siguientes Preguntas
1. Qué tanto nivel de detalle es necesario en el proceso de identificación y análisis de Riesgos de los activos de Información?, ya que por cada activo se podrían formular muchos riesgos.
2. se puede agrupar activos para hacerles el análisis de riesgos? tenemos muchos servidores con características similares y con posiblemente el mismo nivel de exposición a las mismas amenazas. Qué consideraciones se deben tener en cuenta para agrupar activos para facilitar el análisis de riesgos?
3. Existe un catálogo de Amenazas predefinidos y/O recomendado que se pueda tomar como base para el análisis de los riesgos?
4. Existe un catálogo de Vulnerabilidades predefinidas y/O recomendadas que se pueda tomar como base para el análisis de los riesgos?
5. Existe un catálogo de Controles recomendados que se pueda tomar como base para plantear los controles ideales para el tratamiento de los riesgos identificados?
-
Best method of internal audit checklist
I have question concerning creating the best method of internal audit checklist. Is it open or close ended question given that your sample in advisera.com used was close ended question while your modules addressed using open ended questions.
-
ISO 27001Toolkit
We are tasked to establish a document on Web Application Vulnerability Assessment on public facing websites as part of web application management. With reference to the toolkit we purchased, may we know what is the most similar document that we can use as a reference. The current process we have as follows: 1. Information Security Manager conducts the web application vulnerability assessment on all public facing websites. 2. The business owner(s) who owns the websites may nominate the web masters who will maintain and manage the updates/upgrades and remediation of all application related issues. 3. Vulnerability scan report will be given to the Bu(s) and web masters (developers) by Information Security Manager. 4. Vulnerabilities will be addressed by web masters (developers) with reference to the Detailed Scan Report. 5. Re-scanning of the website will be conducted to check and verify mitigation made. -
Using CVSS as Risk Management Methodology for ISO 27001
Is it possible to use CVSS as Risk Assessment Methodology and still be compliant with ISO 27001? How do we map LIKELIHOOD and IMPACT using CVSS? Thanks. -
ISO 27001 - Microsoft Office
Is there any incompatibility between using Microsoft Office and applying for ISO 27001 certification? Thank you very much in advance for your attention! -
Becoming ISO 27001 lead auditor
I’ve recently passed ISO 27K1 foundation exam. Now planning for ISO 27K1 lead auditor course and exam. I’ve query regarding it. After I pass the exam ISO 27K1 lead auditor from Advisera, then am I able to audit companies for ISO certification and provide certification? So, I was checking PCEB exam too, but Criteria seems different then Advisera. Please advice. -
Conformio and Annex A controls
I have a client who signed a contract with a big company some time ago and this client was part of a big *** advertising group and benefited from all the resources of the group, but now he has become independent and has to implement the requirements defined in the contract in order to comply with the contract he signed before. Therefore, he asked me to implement the requirements of the contract as a priority. Here are the security policies and article that I need to put in place first. I don't know if they can be handled separately or should I follow the step by step procedure. Let me know if you need more information. Policies to be put in place : Data backup policy Business Continuity Planning Policy External parties policy Data classification policy Security patch management policy Cryptographic standard Access Control Policy Remote Access Control Policy Physical and Environmental Security Policy Security and Privacy Incident Response Policy Articles: A.12.2.1, A.15.1.1, A.15.1.2, A.16.1.1, A.16.1.2, A.16.1.3, A.16.1.5, A.17.1.1, A.17.1.2, A.17.1.3, A.18.2.1, A.7.1.2, A.7.2.1, A.7.2.2, A.7.2.3 -
Mapping of requirements on controls
Here’s another question about the mapping of requirements on controls. We have a customer requirements that relates to regular reporting on the effectiveness of the ISMS. I think it would be appropriate to map these on controls A.18.2.*. From the mapping document this does not seem to be the possible. There is no corresponding ‘Compliance’ are that can be selected. Actually, A.18.* controls are absent from the mapping altogether, as is the case for A.7 Human resources controls. Should a compliance area not be selectable in the requirements register and should A.18.* not be mapped as a result of mapping onto this area? Or any other area?