Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Budgeting the selected controls
I have noticed that none of the mentioned documents or phases of the ISMS implementation process (for instance the risk assessment plan) are mentioning the creation of a document with budgets needed for the selected controls. At a point the CEO should receive a final document for approval of the controls and respectively the budgets for the acquisition. What does the best practice say about it? -
Implementing the documentation in a very small company
I am part of a really small company but we work on high-end projects where security of materials and system access is pretty important. Given that, can you give me some basic advice on how to go about this? Should I just go through each doc and delete sections that definitely don't apply or maybe write a note next to them that says "does not apply"? -
Teleworking
Can you help me with what teleworking is Annexure A ctrlA 6.2.2 -
Are the documents from Annex A mandatory?
Under the list of mandatory documents required to be ISO 27001:2013 certified you say documents from Annex A are mandatory only if there are risks which would require their implementation- So am i right to assume that technically these documents from annex A such as inventory of assets etc are not mandatory unless otherwise? -
Cuadro de mando integral
Mi consulta es si existe alguna ISO con relación al Cuadro de Mando Integral Balanced Scorecard -
Policy Applicability Questions
If an organization is having its physical data center at another location with a private hosting group. In this case, do the controls for physical perimeter security and data center security would come into play? kindly share the justification as well. -
Information Classification Questions
1. Who's responsibility is it to enter information assets into the asset inventory? As the Information Security lead should that be facilitated by me? -
Number of not applicable controls in statement of applicability
Dejan, after two stage 1 audit for two companies I feel me rather confused, because I excluded almost fifty percent of controls in annex A, and the auditor considered this a problem to fix. Is it mandatory to apply almost one hundred controls. The two companies choosed the controls to apply after the risk assessment process, and defined as not applicable those for which there was no risk to treat or no requirement by interested parties. -
Various IT audits to an organization
An organization having information assets includes network, security, application assets. What are the various types of audits that can be recommended to the organization from the scratch to cover the compliance level. TIA -
What does 'Managing records kept on the basis of this document' mean?
Can I check what does section 4 usually holds in each of the documents - "4. Managing records kept on the basis of this document".