When do I do the inventory of information assets? Prior to the risk assessment?
Exclusion of security controls in Statement of Applicability
How many Security controls can be excluded in SOA, if we want to implement them at later stage and what can be the exclusion justification for that?
How to define criticality?
Based on the results of BIA questionnaire, how i can define the criticality of my business process?
Enterprise Branch Certification
A foreign company branch needs to get certified. the branch assets mostly controlled by oversees company. even some servers and routers controlled by hq IT department. they need to get 27001. main company has isms but branch semi controlled semi independent.
how is the documentation should be? should we get the main company documentation into branch docs too?
I am seriously confused :)
I hope you guy can guide me out.
Thanks for everyone for their interest
BIA Questionnaire and the RTO
Where in the BIA questionnaire i can put the RTO? I see only option (item 6) to put the MAO.
Minimum documents for business impact analysis
Which are the minimum documents of your toolkit that are necessary to do a BIA?
The best ISO to implement for a Data Center
What is the best ISO to implement for a Data Center and for the IT Personel, what are the best suitable Security Certifications they should go after?
Should Physical Cable prototypes be considered as information asset
Our company is Wire Harness manufacturer for Automotive Industry and we are conducting ISO 27001 Certification project ; While building the Asset Register, we did meet some issues:
We have identified Prototype Designs of wire harness (electronic and paper designs information) as confidential information in the asset inventory .However I would like to know if Physical Cable prototypes should be considered as information asset or not.
Thank you for your support.
ISO 27001 Stage 1 and Stage 2 audit
What happens in ISO 27001 Stage 1. What documents they will look?
Third Party Providers vs. ISMS Policy conflictions
I have a concern presently concerning ISO27001 and company ISMS policy / third party agreement guideline vs. a third party who plays a large role in company activities.
Our third party agreement guideline states that third parties shall compy with certain security requirements.
We have a provider that has stated they are not iso27001 compliant but use many ISO 27002 principals, which is fine, but we are attempting to have them sign our agreemen - they do not want to sign, and I QUOTE
"Because such a framework is subject to extensive governance, both internally as by external auditors and our overseers, security is not an area where we (they) have the liberty to accommodate and apply different security requirements per individual customer" UNQUOTE
They have also provided a statement to replace what we have asked " QUOTE
X shall at all times operate and manage the information security, reliability, resilience, and technology planning in accordance with its security control policy. In order to provide a more understandable framework for its specific business, the X security control policy is organised around the 5 key dimensions of: governance, change management, confidentiality, integrity and availability. X has implemented a number of initiatives that enhance security, including a company-wide commitment to adopt many of the principles of ISO 27002, which is the code of practice for information security management. This involves, amongst others, risk management practices in line with ISO 27005 and NIST standards. These internationally recognised standards provide wide-ranging security guidelines" UNQUOTE
How does a company get passed this in ensuring they apply to the company security requirements especially when this aspect can be audited?
Is this acceptable?
Thanks for your reply