Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Which policies to implement before the certification
My question is about policies: E.g. I have 10 policies that are created and fully implemented, 15 policies that are created, but partly implemented, some policies that are planned, but not created yet, some policies that are created, but not implemented. How critical is it, when I have policies that are planned, but not created yet and when I have policies that are created but not implemented? Does that endanger my accreditation? -
Asset Inventory: 'Printer' - Justification!
Hi there, WRT to Dejan Kosutic statement on Asset Inventories, Since ISO 27001 focuses on preservation of confidentiality, integrity and availability of information, this means that assets can be: Hardware – e.g. laptops, servers, printers, but also mobile phones or USB memory sticks. Can someone with a real time example, clarify how assets like printer would play a role in CIA in ISO 27001. Thanks in Advance.. :-) -
How essential is a 'Scope Diagram' in the Scope Document?
Hi all, I have happened to see some of the scope documents which do have a scope diagram, drawn with set of associated departments are domains with the main domain/dept in scope. In my case I don't have any such associations to my department in scope. Some documents also have a scope diagram and doesn't even have one! So, how important or essential is the scope diagram towards the ISO 27001 implementation? TIA -
RARTP vs NCPA
Risk Assessment and Risk Treatment Vs Non-conformities Corrective and Preventive Actions: How dos the play an impact in real-time? Can someone give me a real-time example on how things move around with these two. TIA -
Risk assessment of vendor who is ISO 27001 certified
I have another question about our Risk Assessment. If we have information assets that are being stored by a vendor that is ISO 27001 certified, how does that impact our risk assessment? I know that I will still need to do an assessment of the areas that we directly have control over (or what is required of us), but are we required/able to do additional research to ensure that the areas that are out of our control are done properly? For example, we won’t have control over their physical servers, but there is a risk that their server loses power, which could in turn mean that we lose access to our data (at least temporarily). -
How to account for mobile devices that are not company owned
I had a few questions about the asset register and risk assessment documents: How would you generally account for mobile devices that are not company owned but that contain (or could contain) company information assets? I consider the devices to be in scope because we will ultimately have a BYOD policy and some sort of mobile device management system to manage their use, but I’m not sure how I should account for them here. Would I classify them differently on the risk assessment vs. the asset register? -
Milestones in the project plan
I am working on a single project plan for both ISMS and BCMS together. The Project Plan document template includes documentation deliverables but I would also like to include milestones/phases as well in the project plan. I am thinking to use implementation phases as milestones from Project Checklist documents but is there a reference for which document(s) is due at which phase? -
Problem in describing risks
In stage 1 audit the auditor raised the following non conformity: " Information security risks are not directly ad explicitly described in risk assessment table, but by means of the threats that may cause them and the vulnerabilities that may be exploited". Now I have to write a description for each risk. I wonder whether, if threat is "wrong update" and vulnerability is "poor release management" for a software asset, I have to write "A wrong update can be performed by mistake". I'll do it, but for me it's useless. I'm using your risk assessment table, where dat are enough to identify risks. -
Performing internal audit as a service
I have a question regarding the internal auditor. At a point in the course, you give an example saying that if the auditor never worked in the construction industry, he/she will not be considered competent enough to perform an internal audit. If to interpret your words, an independent third party auditor should be limited to a specific industry or two? If for example I never worked in a bank, than I most probably will not be qualified to perform an internal audit even if I know very well the standards, the processes and the law/regulations? I am taking this course because I am interested in working as a third party internal auditor, no thoughts on a specific industry (my company works with clients from many different fields). At the moment it is not very clear if the exam for the internal auditor requires an experience in a specific industry or not. Or maybe there are some things I misunderstood? I will appreciate if you can clarify it for me. -
Risk assessment for critical assets or confidential assets?
Is risk assessment prepared only for critical assets or confidential assets too?