Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Performing Information security and POPIA compliance gap analysis
Good day Dejan, I have been going through your materials and I am about to purchase the ISO 27001 Documentation Toolkit English (with live expert support) Because I have the below message from a potential client. Hi, I have a client who would like us to submit a proposal to perform Information security and POPIA compliance gap analysis. The overall purpose of this analysis is to identify the level of compliance and potential gaps that might exist from an Information Security perspective when measured against ISO 27000, and Data Privacy as measured against POPIA. Deliverables 1. Report of Cyber Security Gaps along with the recommendations and a roadmap to resolve these gaps 2. Report of POPIA Compliance Gaps along with the recommendations and a roadmap to resolve these gaps 3. Presentation to the client of the findings of the Audit exercise 4. A penetration test report Response Requirements The following should be included in the response: • Approach • Specific Deliverables • High-level timelines What do you advise as to how to proceed with responding to the approach and specific deliverables? -
Question about GRC committee
I hope this email finds you well, I have a question , we will be creating a GRC committee, therefore, I need to know what first steps should be done with the committee as an information security officer. Also, what should be asked from the management representatives to do first and so on -
Asset inventory
When writing and preparing an asset inventory, should we write the name of risk owner/asset owner or the role? -
Do we need separate Cloud Security Policy?
If our business is Saas and it's all in CLoud for example. Currently, we need to have Information Security Policy as the required document. But do we need a separate Cloud Security Policy ? -
Revision to 27002 question
I read with great interest your Blog on the Revision Changes to 27002. Is it perhaps possible to share with me as to whether EACH Control will refer to the required Elements as well as the 5 Control Attributes in relation to determining appropriate Process guidelines? -
A.5.1.1 Policies for Information Security
We have a customer requirement that we would like to include in the Information Security Policy. I will map these onto area ‘Setting top-level information security objectives and intentions’, but would also expect control A.5.1.1 Policies for Information Security to be triggered. From the mapping document this does not seem to be the case. Actually, A.5.* controls are absent from the mapping altogether, as is the case for A.7 Human resources controls. Should A.5.* not be mapped as a result of the area I mentioned? Or any other area? -
Register of legal, contractual and other requirements
1 - For Register of legal, contractual and other requirements Step: what exactly should we do in this step?2 - For ISMS Scope: we’re not sure what to include and what to exclude! do we have to include all our 14 subsidiaries? Do we need to exclude something or some departments?
3 - For Asset inventory: do we need to identify all assets we have? Or assets we provide? Or assets we’re using/purchased?
4 - For IT Security policy: is it only 1 global policy? Or we need to add related policies like: backup policy, cloud policy, data destruction policy ...).
-
Is antivirus software requirement for companies seeking ISO 27001 certification?
In working with my current company through their ISO27001 audit, I wanted to ask if antivirus software was a requirement for companies seeking ISO27001 certified? We are currently operating almost entirely out of the cloud on mac devices, so we wanted to ask if we had to get one before the audit. -
Requirements in Document Wizard
1. Why can I select only one person to approve my documents. We have more people so I am not sure how to handle this in our organization? 2. How are the risks and requirements listed in each step addressed in each policy. Do I need to do something on my side or reference them in specific paragraphs? How do I know which paragraph in the document covers which risk or which requirement so that when I am asked how we are treating those risks or requirements, I can show them?