We've received the following questions:
1. I would like to know difference between Risk Assessment and Incident Management
2. During risk assessment, we consider Disaster as risk, how can it become incident later, even it identified earlier
Answers:
1) Risk assessment is a process where you try to identify all the potential security breaches that might happen in the future. Incidents are the risks that have materialized, i.e. the real breaches that have happened; incident management is a process for managing incidents.
2) Disaster itself is not a risk, it is a threat; it can become an incident if you didn't implement all the security controls to prevent such an incident.
Exclusion of controls
Which controls from Annex A can be excluded, if my organization:
Communication Plan and Corrective Actions
Get qualifications
We have 3 IT personnel within the Agency IT Department and as we have implemented the ISO 27001 standard a few years back after an IT audit we would like information on how to proceed to get qualifications within this area Any advice on this area and what training path to take would be much appreciated
Security Compliance Management
I thing, that Annex A from 27K1 , part 18 Security Compliance Management is missing in your toolkit or .. I cant find it. This part is necessary for successful certification.
Differences between third party and suppliers
Can you confirm what the differences are (if any) in regards to third parties and suppliers (vendors) In respect to Third party agreement vs. supplier relationships - Im thinking none, is it just a case of terminology??
The owner of the ISO 27001 has been changed to a new departmanet
I do have one critical question, in our organization we already certified on iso27001:2005 under the owner of one department. The organization established new GRC function(department) and one role is to own and manage the iso 27001 certification. Is the certification will be voided if the owner of the iso 27001 has been changed to the new department (the two department are under the same organization)
Information Security Objectives
Hi friends,
Based in ISO 27001:2013, "Information Security Objectives" is referred to 'confidentiality', 'integrity', 'availability', 'non-repudiation', and so on...? Is it true?
Additional, How to measure it? And, how would be the plan or framework to achieve them??
Thank you
Best regards