I am leading a team which is working on ISMS and PCI DSS certifications and implementing Information Security at our global office locations and Data Centers. I Would love to know how ISMS can be implemented on a quite complex and diversified organization?
First things in the ISO process
In the ISO process, what are the first things you should look at ? What I want to know, is what will fall in line with top priorities so you can create a flow chart and work from the most critically important to the the less significant issues and can you build upon each ?
More information about the SOA
More elaboration on SOA
Template for the context of the organization
I have put in place the context of organization and also listed down various Interested parties. Now i need to write down a procedure on how do we collect feedback from these interested parties. Is there any template or example you can help me with so I can show this data?
Specific requirements about the qualifications of an internal auditor?
As an expert in ISO 27001:2013, i would like to know the qualification of one who can conduct an internal isms audit. Must the person be ISO 27001:2013 Certified? What is the requirement of ISO 27001 on this matter?
Best practice for residual risk?
The product of Asset value, likelihood, impact and vulnerability is 36. After implementing a control, the residual risk drops to 12. Any best practice for considering such a number as an acceptable level of risk or not?
What if supplier refuses to apply security measures?
In case suppliers refused to apply the required security measures during the ISO implementation (still no certification), how would that affect the certification process?
Initiating failover to the secondary site
Once a major incident has occurred, at which point does the calculation to initiate and failover to the secondary site, start considering at the time of incident it may not be major but due to the service being critical and the prolonged time for it to brought up again - as an example RTO 30 minutes so after what time of incident occurring can this 30 minutes start since failover will also take 30 min once the decision is made?
Questions on Risk treatment table
For Risk Treatment Table, do we need to copy all the risks from risk assessment table or only with high risk?
Beneficios de gestión de riesgos e ISO 27001
Cual es el mayor costo beneficio de implementar un a Gestion de Riesgos basada en esta ISO 27001, a su modo de ver. Esta esto estadisticamente cuantificado en España, Europa, Estados Unidos, etc?