Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Alcance del SGSI
Que se debe escribir en el alcance del SGSI 27001? -
ISO 27001 certification for one division
How are you? I wanted to find out if we can get ISO27001 certification for one division of our business and not all of them. We have a division that does software quality assurance for our clients that has its own office space and network and we would like to get them certified. -
Policies and procedures
I need a little understanding on Policy mapping. As per ISO 27001; we have a list if policies for establishing Information Security. However, Please help me to know the correct approach to map policy and procedure documents to the Master policy of the organization. One-to-one or direct, is there any mapping mechanism that can be followed? Or say to the Scope of ISMS document. Please guide me through it. -
Risk assessment of outsourced hosting service
In the process of filling in the Risk Assessment Table. We host all of our data and major applications out of two data centres. Our company doesn't own the data centres, we simply pay for their hosting services, and some equipment. In the Infrastructure section of the Risk Assessment, would we include the physical data centres as an asset? The management of the actual physical Data Centres are actually out of our control. We could say that a threat is, for instance, unauthorized access--but the vulnerabilities are minimal as the security at a DC is quite stringent--and not in our direct control. Would such DC, that the corporation does not own, be part of the scope of our Risk Assessment? -
Assess the risk for each asset
I'm looking at the risk assessment process for 27001, am I asses the risk to each asset or the risk that asset has to the business? -
Access directly to a database?
Can external clients have access directly to the Oracle database via a read only account? -
Budgeting the selected controls
I have noticed that none of the mentioned documents or phases of the ISMS implementation process (for instance the risk assessment plan) are mentioning the creation of a document with budgets needed for the selected controls. At a point the CEO should receive a final document for approval of the controls and respectively the budgets for the acquisition. What does the best practice say about it? -
Implementing the documentation in a very small company
I am part of a really small company but we work on high-end projects where security of materials and system access is pretty important. Given that, can you give me some basic advice on how to go about this? Should I just go through each doc and delete sections that definitely don't apply or maybe write a note next to them that says "does not apply"? -
Teleworking
Can you help me with what teleworking is Annexure A ctrlA 6.2.2 -
Are the documents from Annex A mandatory?
Under the list of mandatory documents required to be ISO 27001:2013 certified you say documents from Annex A are mandatory only if there are risks which would require their implementation- So am i right to assume that technically these documents from annex A such as inventory of assets etc are not mandatory unless otherwise?