Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Shortest time necessary before applying for ISO 27001 certification
What is the shortest time necessary that we should run the steps CHECK and ACT, before applying for the certification of ISO 27.001? -
Referring to the Business continuity policy from the ISMS documentation
If we want to get certified against 27001 and we have existing business continuity policy, do we still need to state it on our ISMS documents? Will the auditor audit specifics of it even if only want to have the 27001 certification for the meantime? -
Any controls for BCMS like ISMS?
Are there any controls for BCMS like ISMS? please help to understand this. -
Who owns the risk?
We are planning for ISO 27001 certification for one delivery center located at some location. Delivery center IT management (Networks, Servers, Security, Helpdesk, Application) required to deliver services to customer remotely is managed by other IT team which are not the part of scope. -
Which policies to implement before the certification
My question is about policies: E.g. I have 10 policies that are created and fully implemented, 15 policies that are created, but partly implemented, some policies that are planned, but not created yet, some policies that are created, but not implemented. How critical is it, when I have policies that are planned, but not created yet and when I have policies that are created but not implemented? Does that endanger my accreditation? -
Asset Inventory: 'Printer' - Justification!
Hi there, WRT to Dejan Kosutic statement on Asset Inventories, Since ISO 27001 focuses on preservation of confidentiality, integrity and availability of information, this means that assets can be: Hardware – e.g. laptops, servers, printers, but also mobile phones or USB memory sticks. Can someone with a real time example, clarify how assets like printer would play a role in CIA in ISO 27001. Thanks in Advance.. :-) -
How essential is a 'Scope Diagram' in the Scope Document?
Hi all, I have happened to see some of the scope documents which do have a scope diagram, drawn with set of associated departments are domains with the main domain/dept in scope. In my case I don't have any such associations to my department in scope. Some documents also have a scope diagram and doesn't even have one! So, how important or essential is the scope diagram towards the ISO 27001 implementation? TIA -
RARTP vs NCPA
Risk Assessment and Risk Treatment Vs Non-conformities Corrective and Preventive Actions: How dos the play an impact in real-time? Can someone give me a real-time example on how things move around with these two. TIA -
Risk assessment of vendor who is ISO 27001 certified
I have another question about our Risk Assessment. If we have information assets that are being stored by a vendor that is ISO 27001 certified, how does that impact our risk assessment? I know that I will still need to do an assessment of the areas that we directly have control over (or what is required of us), but are we required/able to do additional research to ensure that the areas that are out of our control are done properly? For example, we won’t have control over their physical servers, but there is a risk that their server loses power, which could in turn mean that we lose access to our data (at least temporarily). -
How to account for mobile devices that are not company owned
I had a few questions about the asset register and risk assessment documents: How would you generally account for mobile devices that are not company owned but that contain (or could contain) company information assets? I consider the devices to be in scope because we will ultimately have a BYOD policy and some sort of mobile device management system to manage their use, but I’m not sure how I should account for them here. Would I classify them differently on the risk assessment vs. the asset register?