I note that within the new ISO 27002 Code of Practice, there are no controls for cyber security. With this in mind, would the mitigation of cyber security be addressed with network architecture kept under review and implemented, use of IDS/IPS with their configuration kept up to date for access requirements, firewalls maintained correctly, policies & procedures and maintaining a proactive posture.
Regarding ISMS certification and accreditation
I've completed ISMS LA 2005 certification from BSI in June 2012. It is going to expire in June 2015. As of now, I can do only internal audit within an organization. May I know how can I get accreditation so that I can do external audit.
KPI for IT Disaster Recovery
I was trying to define key performance indicators for our company's IT Disaster Recovery capabilities. Some of them i could find are as follows:
Information Risk Management
How do i help/provide a professional consultancy service to a in a manufacturing industry on information risk management?
ISO 22301
Could you pls help me out in understanding different types of DR sites i.e Cold,Split,Warm,Hot DR sites in details with example ?What are the main/key components of BCP plans?
Confidentiality of Government Information
Our government requires its agencies to be transparent in providing information. One agency is adamant to implement ISMS because of this. How can they implement ISMS while remaining transparent?
7.2 Competence
According to Clause 7.2 Competence - ISO 27001-13
a)determine the necessary competence of person(s) doing work under its control that affects its information security performance;
d) retain appropriate documented information as evidence of competence.
For example the competence of CISO would affect its IS performance so should it be recorded,what type of information should be documented
Eagerly awaiting replys,
Thanks,
Itommy
Advantages/Disadvantages of Asset Based Risk Assessment
Hi All,
I find that many organizations have adopted an asset based risk assessment.I am concenred that many generic risks would be missed out. I would like to know your views on pros and cons of Asset based RA.
Many Thanks,
Itommy
User profiles in Access Control Policy
With regard to the Access Control Policy, do you recommend developing the user profiles in 3.2 and 3.3? Or would it be sufficient to describe generally the sorts of positions that get access to certain sorts of accounts?
ISO 17799/27001/27002?
What is a difference between ISO 17799/27001/27002? Pls do also throw a light on COBIT also.