What is the process for documenting managements approval of documents and risks? Do meeting minutes suffice? What is best practice?
General board level governance document that the non IT Director can understand
I am looking for a general Board level governance document that the non IT Director or Trustee can understand and use as a benchmark against which to measure conformance to best practices. Can you help me?
Validity of the ISO27001 Certificate from Advisera
Dear Sir
Scope for a company that provides IT services outsourcing
The company provides IT services outsourcing therefore have codes sources or confidential customer information , such information should be part of my risk management ?
Owners of multiple assets
The Risk Assessment and Risk Treatment Methodology template states "When identifying assets, it is also necessary to identify their owners - the person or organizational unit responsible for each asset." When listing a laptop for example, should it be the person how uses the laptop (or who it's assigned to) or should it be a layer higher than that? My concern is that if we have 800+ employees, that we'd have to list all those individual laptops and their owners.
Varias preguntas relacionadas con la implementación de la ISO 22301
Hola, estamos implementado la ISO 22301 a partir del paquete que compramos, paralelamente estamos implementado la ISO 27001 donde ya hemos avanzado implementando políticas y procedimientos, aquí hay una carta Gantt ya definida. En relación a la ISO 22301 partimos con la política de la continuidad del negocio, aquí tengo algunas preguntas:
Some types of assets
If I have Some types of assets like persons, services and computers I have to classify them too? Or only the information assets?
Opportunities in the methodology of risk assessment?
I am confused because I created one information security risk management procedure which is the methodology of risk assessment; Do I need to put something related to opportunities in that procedure or not? and do i need to add something in my risk register? like opportunities?
Controls for a cloud provider
Does ISO 27001 certification require control maturity for systems that are new to a deliverable model? For example, if a business unit were to deploy a company standard SQL image into a cloud provider infrastructure would the cloud provider have to have control maturity or are the current controls in place for on-premise data centers sufficient?
First things in ISO process
In the ISO process, what are the first things you should look at ? What I want to is what will fall in line with top priorities so you can create a flow chart and work from the most critically important to the the less significant issues and can you build upon each ?