Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

ISO 27001 & 22301 - Expert Advice Community

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Problem in describing risks

    In stage 1 audit the auditor raised the following non conformity: " Information security risks are not directly ad explicitly described in risk assessment table, but by means of the threats that may cause them and the vulnerabilities that may be exploited". Now I have to write a description for each risk. I wonder whether, if threat is "wrong update" and vulnerability is "poor release management" for a software asset, I have to write "A wrong update can be performed by mistake". I'll do it, but for me it's useless. I'm using your risk assessment table, where dat are enough to identify risks.
  • Performing internal audit as a service

    I have a question regarding the internal auditor. At a point in the course, you give an example saying that if the auditor never worked in the construction industry, he/she will not be considered competent enough to perform an internal audit. If to interpret your words, an independent third party auditor should be limited to a specific industry or two? If for example I never worked in a bank, than I most probably will not be qualified to perform an internal audit even if I know very well the standards, the processes and the law/regulations? I am taking this course because I am interested in working as a third party internal auditor, no thoughts on a specific industry (my company works with clients from many different fields). At the moment it is not very clear if the exam for the internal auditor requires an experience in a specific industry or not. Or maybe there are some things I misunderstood? I will appreciate if you can clarify it for me.
  • Risk assessment for critical assets or confidential assets?

    Is risk assessment prepared only for critical assets or confidential assets too?
  • Become information security consultant

    I recently graduate from a university and my degree is a software engineer and I would like to have your advice on how to be an information security consultant. What are the required qualifications, and experience needed in order to reach my objective? How to become fully qualified? What are the necessary steps to become an information security consultant, for somebody without a serious prior knowledge in information security?
  • Risk management for cloud computing

    If I want to do risk management for a cloud computing environment, must I use ISO 31000 or ISO 27005 or ISO 91000?
  • Level of confidentiality

    "The basic rule is to use the lowest confidentiality level ensuring an appropriate level of protection, in order to avoid unnecessary protection costs." What does it mean? There are four confidentiality level, is the Confidential the lowest?
  • Example of quantitative and qualitative risk assessment

    Can please tell me the difference between Quantitative and Qualitative Risk Assessment with proper Example I have so Much doubts in it ... Please help me out with this.
  • Alcance del SGSI

    Que se debe escribir en el alcance del SGSI 27001?
  • ISO 27001 certification for one division

    How are you? I wanted to find out if we can get ISO27001 certification for one division of our business and not all of them. We have a division that does software quality assurance for our clients that has its own office space and network and we would like to get them certified.
  • Policies and procedures

    I need a little understanding on Policy mapping. As per ISO 27001; we have a list if policies for establishing Information Security. However, Please help me to know the correct approach to map policy and procedure documents to the Master policy of the organization. One-to-one or direct, is there any mapping mechanism that can be followed? Or say to the Scope of ISMS document. Please guide me through it.