I'm starting to implement the ISMS, regarding the scope, I read a blog article (Explanation of ISO 27001: 2013 clause 4.1) and noticed I have to determine the internal and external issues. I define roles and responsibilities of all employees of the organization or just those involved in information security. And is there any recommendation for this, for example a list containing the name, job title, responsibility?
Third Party SLA for out-of-scope Systems
We are currently ISO 27001 certified and the ISMS scope also includes our customers' systems (hosted at customer's premises as well as outside customer's premises).
The same customer has also initiated their ISO 27001 Compliance initiative with the scope of "All IT Services".
Now in this case to avoid duplicated ISO audits and remediation, what is the possible way forward.
Should we share our asset list with them to ensure there are no duplicates across our asset lists. So they go ahead with the audit of assets on their list (i.e. the assets they manage and operate) and we continue with the surveillance audit of our asset list (i.e. the assets we manage and operate). Meaning we don't have to undergo end of year audit twice including all the documentation, records and controls implementation etc. In other words we as System Owners (of customer's systems who are the data and business owners) continue to be responsible for compliance.
Also is it possible to develop an SLA between us in such a way that customer's ISO auditors do not carry out an exhaustive audit of our assets. For e.g. can we include the statement in the SLA that the service provider (i.e. us) is ISO 27001 certified and hence we avoid the duplication. We, as service provider, can always produce information to demonstrate compliance though. With the above approach, the customer would still be able to identify themselves as ISO certified.
Risk Assessment Toolkit
I need help with your risk assessment tool kit. do it have Questions related to risk controls in Annex. e.g if i do risk assessment on any Application, do your kit have question to ask to Application owner ?
I do hope you are fine. I get stucked again and I need your assistance. After going through risk assesment, I'm able to come up with some master listb of documents like business continuity plan, backup testing plan, access control policy, etc. I want to implement the listed documents but I don't understand what shall I do since I'm not implementing it in real scenario. I'm just implementing it on paper, like having a case study and trying to develop the ISMS just to assess my understanding of ISO27001. Hope my question is clear.
Information Security Policy
What is the difference between the clause 5.2 and A.5.1.1 and A.5.1.2 controls?
I've got this question about documented information. Policies or procedures, like Control Access Policy, should be considered documented information Taking into account ISO 27001 7.5.1.b) clause, it seems that the company may decide this issue.
Interested Parties need clarification of this. I'm looking for an example of a
Hi, I need to define my organisations interested parties procedure that can be written to detail this but can't seem to find any guidelines for this.
Documents and records
All organization's documents should be structured as the mandatory documents of ISO 27001 (containing level of confidentiality, document management and validity of the document), or all documents e.g. a slide show, Minutes of meeting, contracts, tests report , etc?
Program Source Code
What program source code is meant because as an IT company we are developing programs and of course we have access to source code. In standard it's says that access to program source code shall be restricted. Only restriction that we have is by team and by costumer. Costumer share the access right to the program that we develop for them. But when we develop our program or software only the specific team that works on this project have access rights to the source code.
ISO 27001:2013 Asset Based Risk Assessment
I would like to get your advise on performing a RA based on ISO 27001:2013. Currently my organization has Asset based RA. Please let me know what is the mandatory requirement for ISO 27001: 2013 and kindly share if you have any sample or template.