Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Does risk treatment table need to be separate from risk assessment table?
Does the risk treatment table need to be separate from the risk assessment table? It seems to me that columns on treatments and treated risk values can be added to the unacceptable risks in the risk assessment table and this can avoid duplication. What do you think? -
Content and scope of External Threat Monitoring
at present, the most immediate question I have is this – what is the content and scope of External Threat Monitoring? Would it be adequate to comply with US’ FISMA Act 2002 (it is a US Act but is adopted worldwide as a best practice), and, as part of FIMA compliance, should we adopt NIST’s standards, namely, FIPS 199, FIPS 200, and the NIST 800? External threat monitoring [job title] is responsible for monitoring suppliers, manufacturers, and security reference groups in order to identify external threats that can impact applications and systems, and [job title] must select actions to be taken in case new threats are identified. -
ISO 27001 is being revised: Which standard revision should you implement?
R u sure they fall in 13 n rev comes in 22 Your qn doesn’t expect me to ponder after 15 -
ISMS SCOPE DOCUMENT
Hope you are doing well I have some question about ISMS scope ISMS SCOPE DOCUMENT document does not include the following as you mentioned in your book "secure & simple" ISO 27001 says you have to do the following when defining the scope: Take into account internal and external issues defined in clause 4.1. Take into account all the requirements defined in clause 4.2. Consider interfaces and dependencies between what is happening within the ISMS scope and the outside world. and the last point also needs more clarification on how to do It, I mean other method rather than diagram. -
Management review for ISO27001
I just had a workshop in ISO27001 lead implementor. As a preparation for the audit, I need to prepare a management review, I would like your advice about the needed step for creating this document in ISO27001. -
ISO 27001 Conformio questions
1. In case we have to abide by requirements in several states because we are doing business with both, how should we handle these requirements in the context of ISO 27001 implementation? 2. In case we have defined a security objective and we fail it (i.e., our target was to decrease the number of incidents, and we see that they have risen) will this hamper my possibility of obtaining the certification. 3. How do we select a certification body? -
How can we move to 27001?
I have a question regarding the effort to move from the old version of 27001:2013 to the new one. What effort / resources shall we plan ? We have implemented 27001:2013 since 10 years…Do you have a guideline how to proceed? -
Conformio - ISO 27001 Requirements
I saw that based on the risks or tasks created when preparing the corresponding documents in the requirements section it states to include them in the doc, is that being done by manually adding the references in the editable sections or is there a different method? I have uploaded a screenshot as requested. As you can see in the requirements it states to be sure to resolve the listed risks. Should this be done by inserting some references in one of the editable portions or is it being done by the wizard in one of the steps?
-
Questions about Scope of my ISMS ISO 27001:2013
Good morning, You can help me with the following questions I would like to know what level of detail should be specified in the wording of the scope of the information security management system?1. Should I write the exact listing of all the information assets covered?
2. Should I write the exact list of the information provided?
3. Should I write the exact list of applications / software covered?
4. Should I write the exact list of the physical offices covered?
5. Should I write the exact listing of the databases covered?
6. Should I write the exact list of websites / mobile applications covered?
7. If I want to include all the information assets of my organization is it sufficient to write: "The scope of the SGSI covers all the information assets of the Organization" or do I have to be explicit by detailing all the information assets?
8. Do I have virtual machines on Microsoft Azure that run critical applications, should I specify that the scope only covers the applications installed on these virtual machines that are on Microsoft Azure? or should I also include the virtual machines and their contents?
9. We currently have corporate mail with GOOGLE, is mail a critical asset in our organization, should I also include it in its scope if a service provided by a third party? What considerations do you have in the writing in the link at the level of this service?
10. Currently we send our customers emails and massive newsletters that contain important business information, are these emails and newsletters sent through a provider's software, should I also include it in the scope of a service provided by a third party? What considerations do you have in the writing in the link at the level of this service?
-
Legal and contractual requirements question
Looking through our List of Legal, Regulatory, Contractual and Other Requirements documents, we had a question. As a small company that deals with commercial driving fleets, are we expected to have a long list of these requirements? Of the list of requirements that were listed on the article linked in the actual document, none really applied to us. We do not operate in individual states that have these requirements, so we had very few there. As a whole, it seems like we only have a few contractual requirements with our customers. Does that seem right?