Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Mapping of requirements categories to ISO 27001 controls
Hi Dejan, Thanks for your reply and I understand what you are saying in the bullet points. However, I do believe my questions are still not fully understood. 1) There may be a requirement for some controls for the HR department. We would then choose something like ‘Human Resources Security’ from the drop down list for the Area field, right? But my point is that there is no option for Human Resources Security available from the drop down list for the Area field. So my initial question some time ago was, why is Human Resources not listed as an area? Is this an omission (a bug) or has this been left out deliberately? And if so, why is this left out when all other control categories are available from the area drop down list. 2) I understand the reasoning behind mandatory safeguards, but my question about that was where do these requirements show up in the SoA? Or do they need to be added to the SoA manually? I do believe that the combination of allowing the selection of an area together with the ability to specify individual controls would be taking the best of both worlds. I have made this suggestion to Aleksandra as art of request 63693. I still would very much appreciate to have a few hours of detailed training in the use of Conformio (like explaining the function of every field), as there are still areas that are unclear to me, that are not documented and that are costing me a lot of time getting them answered by sending emails to support and even going back-and-forth quite a few times, like about this issue. I would appreciate if some training is available in the short term. -
Corrective actions and nonconformities
How could the nonconformities found in the internal audit exposed in the corrective actions affect the external audit? What happens is that in the organization where I am, they are afraid that we will find majors or minors nonconformities, because they think that the external audit will be based on these results so they prefer just use nonconformities in general and do not use major or minor non conformities in the form. -
ISO 27001 and ISO23301 Policies
I hope you are well and had a relaxing weekend. I have acquired the premium papers for ISO27001/22301. I have few questions with regards of implementing as ISMS withing out organisation, which I hope you would be able to provide me with guidance. Please note this is a ***. I am not sure but you may need the existing documentation which I will provide if requested. Some additional info on me and my position within ***. I have started less than two months ago as an IT Security Manager, although the title does not signify my overall responsibility for Cyber Security and Business Continuity/Disaster recovery. I am still trying to find all details with regards to the security posture and security stack I am responsible. Some is owned and managed by a third party IT provider, who outsource the SOC and Forensics. Currently I have been asked to provide input on some policy and a provide an expert guidance for business continuity if total blackout of power for a week occurs. Here are my questions: Currently the password policy is part of the ISMS and has couple of lines. The policy is a framework that does not provide technical details. I see your policy template is slightly more expanded. What other document/statement/process/procedure I need to develop to complement this policy which will include a details of the implementation and controls we use within the organisation. Second question. The password policy does not work. The people are using digital files to store their password, use the browser to remember their passwords or private password management apps. How would I define the risk associated with this. I thought risk of noncompliance, but this is not to correct main risk. So what would be the risk associated with not correctly defined password policy. Next question - We have no patch policy and need to define the risk. Please note we have robust patch policy which is decent. The only issue we have is that some users do not use the devices and they become high risk. Any info on the Risk definition as well as what we can enforce so the devices are connected once in a while (month) would be appreciated. We have no weekly vulnerably scanning. I am not sure how to define what is the RISK in terms of definition Same is for not have visibility of the security stack. The support company is slow to provide me with reporting and read access to the security systems in place. I have not good reporting to provide SME to the board. BC/DR On the BC/DR where do I start. We have one general overview of the BC/DR as a policy with people hierarchy. Resilience and Emergency Planning exercise - We previously did a live one but should consider table top and other ways of doing (I have not been involved). What would be your recommendation how to lead, prepare for this. Please note my previous company was only 30 people and was straight forward. Now is 250, number of departments and needs to follow some Government framework. The Total blackout plan (week of no electricity). Please note our business would not suffer any damage from this downtime. Only couple of people after that period need to be able to communicate Any suggestions where to start with will be great. -
Is Conformio for us?
*** has several offices around the globe and has a total of around 1000 employees. If all offices will be within our scope, can we still use Conformio to get our objective? -
Question about ISO-27001
I'm writing to ask about the requirement for a remote-only organization to own an office space in order to become ISO-27001 certified. The question has been partially answered here: https://community.advisera.com/topic/certification-of-remote-companies/ The answer explicitly states that we should ask our CB, which we have done, but since they are not allowed to provide advice beyond what is necessary for the audit (to avoid conflict of interests, I assume), I was wondering if you could provide some additional guidance on this. Namely, whether the location to be audited has to comply with some minimum requirements in terms of size, amenities, equipment and others. 1 - Would it be acceptable to rent a bare office where no actual work happens? Wouldn't that mean that risks at the office location are being minimized or eliminated altogether and that the security control A.11 (physical and environmental security) becomes non-applicable? 2 - How does that compare to a rented room or desk in a co-working space? I understand that the answer may depend on the CB and/or the kind of business being audited, but some generic advice would already be helpful for us to know our options on this matte -
ISO 27001 Risk Assessments
When conducting an ISO 27001 risk assessment? Are the risks identified through the ISO 27001 controls themselves or are they just random risks that our business identifies? -
EU GDPR & ISO 27001 Integrated Documentation Toolkit questions
1. We have completed the GDPR Assessment (file 1.1) and most of the answers are negative since we have just started working on the GDPR as well. It's mentioned in the file itself that "If you answered, “No,” to some questions, it will indicate where you need to focus your compliance efforts." Does this mean that we have to first work on what is missing from the GDPR hence, turn the "no's" into "yes" and then proceed with the ISO documents (Requirements, ISMS Scope etc.)? Or is there a different process we should follow? 2. Once we finish the first draft(s) of our ISMS scope, we would like you to review it as part of the package services we have purchased together with the documentation. Is there a certain procedure we should follow? Given the fact that the Scope is the baseline for implementing ISO, we believe that it would be wise to ensure that our ISMS scope is reasonable and meets all the necessary features. -
Merging IT Infrastructure and ISO 27001
As always your input is appreciated, and I hope as a result of my questions, and them being answered many can benefit too by when they visit Advisera. As a company we have recently acquired a business, we are currently ISO 27001 certified they are not. We are bringing their IT asset, infrastructure under our control. IN-terms compliance wise from ISO 27001 perspective are there things we should be doing/checking to remain compliant for the ISO 27001 certification? and standard. -
Where do requirements in the area of 'Specifying mandatory safeguards' go?
When I add a requirement and add it to the area of 'Specifying mandatory safeguards', I do not see it appear in the Statement of Applicability or Risk Treatment Plan. So where do these requirements appear in the later workflow and how do we keep track of implementation, etc. -
ISO 27001 Toolkit Support
I would like to see if you can provide any advice on how to approach the ISO 27001 toolkit. We had a third-party internal audit that was quite brutal and while I thought I ticked all of the boxes as per the Advisera toolkit, it was clear that these documents were very inadequate for us. We failed the audit miserably, and I am left even more confused than ever before. I have many examples, but I want to start with one in particular. For A.6.5, the 2022 version toolkit says I need to use the Confidentiality Statement (09.22). Yet the guidance in 27002 for 6.5 states requirements that the confidentiality statement does not address. In our audit, I supplied the confidentiality statements as well as a work instruction to remove access upon termination. The auditor's comment was "The leaving procedure of people is only technical; Must be reviewed with HR point of view." Saying nothing about the confidentiality statement. Can you help me understand how the document pack addresses this control? Hopefully we can unlock the mystery of all of the other missing items for me.