Please select user.Assign
There are no topics yet.
A customer will have an ISO 27001 certification audit in July and the drp plan is already contracted for delivery in December with a signed contract. However, we know that in July there will be no evidence of the drp test, only the project purchased with the evolution. He wants to know if this would lead to a major non-compliance, making the certification recommendation unfeasible.
The company in question has 2 servers in 2 cities. However, the systems are NOT complementary. One would not support the other in the event of a disaster. The DRP solution was then contracted to increase the capacity of the smaller equipment to supply in case of interruption of the larger server. They already have the backup procedure, however, in the current situation, the company was not able to be operating all systems in the event of a disaster. The contracted project will be operational in December, but the audit will be in July now. The concern is that the DRP is stated in the applicability document, and in July, we will not yet have the main evidence of a test carried out showing that the DRP is working. Only in December, as promised. The question is whether this will be considered a Major NC for lack of practical evidence of the DRP test, or if it would be a minor NC, for showing that the situation is contracted to resolve in December.
What does the graphic/pic represent in this article https://advisera.com/27001academy/blog/2015/02/16/change-thinking-can-stop-59-security-incidents/
HI, I would like to know if the VDA ISA Certificate overlaps with the ISO27001 and if we can use another template and implement all the controls needed for the VDA ISA, but using your own templates for the ISO 27001. That would mean that when we do the risk assessment we will take into consideration the Excel table from the link above and later implement controls for the ISO27001 on that basis. Would that be enough to have a maturity level of 3 or 4 if everything is implemented and works? Any advice on implementing ISO27001 and VDA ISA in parallel is greatly appreciated and if you have materials that would be useful or even document kits that we can buy, we would appreciate it. Thank you.
I would like to take this opportunity to thank you for your webinar yesterday.
I would request you to please share some ideas / opinion on the below mentioned ISMS implementation flow in chronological order. Your opinion or suggestion will be a great help for me.
STEPS INVOLVED IN ISMS IMPLEMENTATION
01) Discussion with the top management for implementation of ISMS
02) Planning of awareness programme
03) Define of scope
04) Discuss & document the statutory & regulatory requirements (security) applicable to organisation
4a) Risk identification (HAPPENS PARALLEL)
1) Identification of assets
2) Risk assessment & treatment plan
4b) Scope of applicability
1) Discussion & Understanding of the controls & applicability to organisation
05) Discuss & document the internal & external issues
06) Define & discuss the interfaces & dependencies within the processes in the organisation
07) Awareness training on ISMS certification across the organisation staff
08) Define document applicable ISMS documents, Roles & responsibilities
09) Implementation of controls within the organisation
10) Monitor implementation progress
11) Internal Audit after implementation
12) Management Review meeting
13) MRM outcome implementations & improvements
14) Preparation for external (certification) Audits
To what extent would you integrate 27001 and 27002 in the establishment of guidance to Controls?
Attached is the risk assessment matrix we chose to use for our organization when doing ISO 27001 implementation. We think this will make more sense for us than multiplication or addition of 'Impact' and 'Likelihood'. Will there be any issue of using it, does ISO specify a set of matrixes so we cannot use anything else?
1. Please confirm the following versions of the Mandatory Documents the latest/current versions: ISO 27001 – ver 3.9, 2020-02-10
2. Within the ISO 27001 Documentation Toolkit List See attachment 27001A
I hope to know the relation between iso 27k and the IS strategy is it part of it or is it considered as tactical process.
1. Is there a possibility to integrate ISO 9001 with 20000 or this is not recommendable? If this is not recommendable, how will the usage of the three management systems according to the three standards (9001, 20000, 27001) be facilitated?
2. What outcomes could be expected within the certification process provided that we have developed the systems in compliance with the applicable standards:
a. One integrated management system?
b. Separate systems for each of the three standards?
c. One system for 27001 and one system integrating 9001 and 20000, each of them with different scope?
1 - Doesn't ISO 27001 have to describe an assessment of confidentiality, integrity and availability? In the risk analysis, I only evaluate according to threat and weakness. These have an effect on confidentiality, integrity and availability.
2 - For example, I find the Business Impact Analysis at the BSI. Don't I have to do this in ISO 27001 as well?