SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Physical security Policy
Hi Dejan, I have a doubt. For ISo 27001:2013, 11.1.3 refers to CCTV controls. Does it mean it directly?. If CCTV is not recording is that an Incident? Also if CCTV details and other Access Control events are not backed up is this an Incident? Can you please explain Why? it compensatory controls and how to resolve it? Thanks, Vijay -
Access controlAlign IT services continuity with ISO 22301
We have received this question: "Access control - user vs technical? How do I distinguish the difference in ISO27002? This is regarding ISO27002 - section 9 Access control 9.2 vs 9.4" Answer : The rights are given to users (people) to access information (e.g. physical documents), applications, hardware and locations (buildings and rooms). The correct management of this aspect is covered by clause 9.2. Clause 9.4 covers how the access rights should be implemented in the technology to make sure the data on the computer systems (including mobile devices and telephony) are accessed according to the rules fixed by clause 9.2.Is ISO 27031 a good option to align IT services continuity (aka DRP) with ISO 22301 (BCMS)? -
Vocalbulary
"We have 2 terms for: ENGLISH: Risk evaluation, assesment risk (there is not glossary) -
Asset owner and risk owner - how exactly are the two differentiated?
I've received this question:
"Regarding the asset owner and risk owner when it comes to people. How exactly are the two differentiated? For example a Network Administrator. Would the asset owner be self and risk owner be department manager?
Answer: I assume you are asking a question related to people as assets in terms of ISO 27001. For Network Administrator, the asset owner would be his direct boss - e.g. the Head of IT department; risk owners should be people who can resolve particular risks - e.g.:
risk of performing wrong activities because of non-existing rules - risk owner could be Head of IT department risk of performing wrong activities because of lack of training - risk owner could be Head of HR department
This article can also help you: Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/ -
Involving the management in the BCP process
"I had the opportunity to work with the implementation of this standard two years ago. In addition, had the opportunity of offer few training regarding BCP and share experience with few industries here. -
ISO27001 Risk Register
We have received this Question : "Im preparing the risk register.Let take asset as "firewall" Threat as Hackers and there would be lot of vulnerabilities associated with this threat (Improper access rights, Misconfiguration, lack of rule base audit...etc) But i have seen risk registers with one threat and they write only one vulnerability. Please provide your inputs regarding this query." Answer: Risks are better expressed in terms of scenarios « this happens to that element under these circumstances and causes this level of damage ». Each asset can have several threats that in their turn have several vulnerabilities. So we recommand, for a comprehensive risk registry to have one line per vulnerability and one group of vulnerabilities per threat. If a register only shows one threat or vulnerability for each asset, its probably because the risk manager has, after analysis, only kept the worst case. An auditor should accept all what you included in your risk registry, but you will have to explain what you did to come to this registry and how you di dit. It s your security that counts, not the way how the auditor thinks it is. Note : The Asset-Threat-Vulnerability method is only one possible approach for risk analysis. -
Access control
What is the best way to set up within our organization the team that do the acces control task, in order to have a correct segregation of responsabilities. -
Question regarding the procedure for document and record control
Currently, we are faced with a question regarding the procedure for document and record control: within our certified quality management, we already have such a procedure in place. However, this procedure only applies to documents and records of the management systems, as well as for templates, guidelines and other policies that are binding for employees. In contrast, documents and records that are, for instance, created within customer projects are only implicitly part of the document control, i.e., employees should use the templates that are part of the document control (if applicable). In fact, the templates contain a mandatory field for the confidentiality class and we also will have a policy for classification and labelling of information. Nevertheless, probably a lot of information exists that is not or rather cannot be documented by the use of the controlled templates. Now, we are wondering whether or not the current scope of documents and records to be controlled is also sufficient in terms of the ISO 27001 requirements, in parti cular, in light of the plan to have a policy for classification and labelling? -
ISO 22301 and ISO 31000
1. What are the key differences between ISO 22301 and ISO 31000... since at a glance they look similar? -
Question on clause 9
While implementing ISO 27001:2013 for a leading bank, I am stuck at clause 9.