Making mistakes in documents because of an auditor
One of my colleague also told me to do some mistake in documents so the auditor should pick if everything will be perfect the inspector doesn't expect everything should be fine, please suggest.
Procedure for document and Record control
Question about Section 4 "Documents of external origin"
What types of documents would this include? I am having a difficult time trying to think of why this would need to be in the procedure.
Does this include parcels, if so what type of parcels would this apply to?
Records of Management Decisions
Several flow charts published reference the Records of Management Decisions as a required document. This same document looks to a deliverable early in the implementation process. Do you have an example of this document or can you share what it would contain so early in the process?
Risk register vs. risk treatment table
Is the risk treatment table considered as risk register? or the risk register is something else?
Risk Assessment Table
This in in reference to the: Appendix_1_Risk_Assessment_Table_EN spreadsheet.
In preparation for filling in the Risk Assessment Table, I recognized that a particular asset say a "laptop" could have more than one threat, and by selecting any given threat there could be more than on vulnerability. How do you account for these multiple possibilities with each asset? the combinations seem like there could be many?
Specifying excluded controls as exclusions in the ISMS Scope document
In paragraph 3.5 Exclusions of the ISMS scope document should not go further excluded controls?
Referring to Inventory of assets from the ISMS Scope document
Item 3.4 Resources of the ISMS Scope document says it may add a reference to the asset inventory. The asset inventory is performed once defined the scope of the ISMS, then how could I add a reference to that document.
Weekly status report for management
My CIO is expecting me to generate a weekly status report, but I am uncertain what to provide since I do not have a step by step procedure. I know you said your documents are in order, but it seems that there is a lot more work that needs to be done outside of completing your documents???? Any additional guidance would be appreciated.
Filling in the inventory of assets
When do I do the inventory of information assets? Prior to the risk assessment?
Exclusion of security controls in Statement of Applicability
How many Security controls can be excluded in SOA, if we want to implement them at later stage and what can be the exclusion justification for that?