No conformidad e Incidente de seguridad de la información
BIA for communication department
What indicates a successful implementation of the ISO 27001
Identification of Requirements - level of detail?
Hi
I'm compiling my list of interested parties and their requirements for section 4.2
I have the list of legal/regulatory bodies etc which is very helpful, however I was wondering what level of detail I need to go into? For example, with the Data Protection Act, is it sufficient to include the general principles (e.g. "Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes."), or do I need to specifically include more specific requirements such as, e.g. "those involved in recruitment and selection are aware that data protection rules apply and that they must handle personal information with respect."
It seems that if I go into that much detail, it becomes more of a control application than a scope document, so I'm not sure when to stop!
Thanks
Obtain management support
ISO 27001 Lead Implementer / Lead Auditor
Technological vulnerabilities
Software developmnet within the company
Our company sells software we develop ourselves.
Development is done within a separate system and is managed by its own policies, procedures, and has its own set of (security) requirements.
Do we need to include these policies, procedures and requirements into the ISMS?
I prefer to exclude this from the ISMS scope, because we dont use this software in our oown production environment and the requirements are customer specific.
Thanks.