I do understand how to go with Risk Assessment. I was able to identify the assets, vulnerabilities, threats and impacts. But I couldn't understand from Methodology, how to do the qualitative and quantitative analysis in order to move forward. Please I need your comprehensive assistance regarding this issue.
Information asset in ISO 27001:2013
For your information, we are now in the progress of transitioning from ISO 27001:2005 to ISO 27001:2013. In the past, we did risk assessment and treatment plan for all types of assets like hardware, software, documents, infrastructure, people. Now, in ISO 27001:2013, can I continue doing risk assessment based on mentioned assets above? Is it OK if we exclude hardware, infrastructure, and people from the risk assessment?
ISMS Feasibility
What requirements we should consider and provide before setting up ISMS within the organization?
Asset Identification for Contact Centers
In the case of a Call Center, we have access to our Client's database which has confidential information of their customers. Do we consider this as an Asset during our Risk Assessment or should we leave it to our Client's side?
In the case that it is our asset, should we apply an additional layer of control?
ISMS Scope Document
What would be organizational units within the scope of the ISMS?
Monitoring of third parties
I am assisting my current employer with third party governance and looking to put some KPI's together for the monitoring of such tird parties. I may be interested if you have any potential info for this. For example, what do we do in order to clarify that a third party is patching effectively etc.
ISO 27001 clauses applicable for Cloud Security
With Cloud Computing, Cloud storage being the buzz words, I like to know as to which clauses of ISO 27001 deal with this aspect for an organisation opting to use Cloud services.
What are the possible Security concerns and How ISO 27001 addresses them.
Recording changes when making a transition to ISO 27001:2013
If you are already certified according to ISO 27001:2005 and now you have an surveillance audit that plans to audit against ISO 27001:2013, my question is: do you record all the changes made to the ISMS as improvements ? or you just start making changes and recoding in the relevant change history section of each document?
SOA Related
What should be the recommended structure of SOA for a multi location organisation. We as certification body prefer, that the organisation describes the applicability of relevant controls for each location. It helps us to know what controls to see at each location. Please confirm.