Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Inquiry about the following ISO27001 controls
Background: No of employees: ~ *** employees Scope for ISO certification (*** sites): Site A: 5 employees, CxO, few tech people, with Physical office shared with *** parent company Site B: ~ 35 employees, Operations (Developers, cybersecurity, Cloud support) , no physical office (***). Working environment: 80% of the time site 1 personnel are working remotely, while site 2 employees are 100% working remotely. Can you please provide some guidelines on the following scenarios? 1. Physical office security for site 1: Given the scenario above, is it possible to treat the site 1 office as out-of-scope? The existing security controls of the office does not fully conform with the standard and our personnel cannot make major change in the office security since they are only sitting with our Parent company’s office. In terms of risk associated with the physical security, we assess that it is minimal since most of the time, our personnel are working remotely (80% of the time) anyway. The security will be enhanced on the personnel itself (awareness), their system accesses (policy, access rights and reviews, the likes), and in their user laptops (endpoint security such as anti-malware, DLP agent). 2. In site 2, our HR, Recruitment, and IT (laptop, user peripherals, purchasing of these equipment) service are provided by our Parent company (shared among some of its subsidiary companies). Are they still considered as supplier of the services and will be required by the standard to comply with the applicable 3rd party controls (NDA, contracts, etc.)? We do not have such contract established with our parent company. The personnel of the aforementioned teams only access “internal” classified data such as employee info, payroll, and the likes. -
how close treatments
how do you close risk treatments -
A.7.9 Clause
Thank you for the amazing conversion tool from ISO 27001 2013 to 2022 Please can you assist me with the 2022 Clause for A.7.9. as I cannot seem to find a reference either in the conversions or the new controls -
Non conformities - entering corrective actions
When attempting to enter new non conformities I am unable to enter the data against responsibilities , corrections, corrective action, review. Where in the process do I get an opportunity to enter data against these field items -
New implementation: ISO 27001:2013 + ISO 27002:2022
Hi iso people. I'm in a middle of ISO 27001:2013 implementation. I'm just finishing chapter 9. Now I've read ISO 27002:2022 and I would like to implement the new controls instead of Annex from ISO 27001:2013. Will that get me in trouble if I write that we've decided to use the new set of controls and excluded Annex from 2013 completely? -
Conformio question
I have a question - should I and can I write specific assets in Conformio i.e. in case of asset "Operating systems" do we use Operating systems or do we write Windows operating system and make this more specific? -
Toolkit questions
I have many questions First one: why the implementation tool kit did not contain the folder for A5 and folder for A18 in the folder 08 for annex a Second question: while I browse your website I found the document named checklist of ISO 27001 mandatory documentation I confused AND I have a question regarding this document regarding the documentation I SHOULD deliver to the certification auditor My question is do I have to submit this document to the certification auditor ? Third question: what is the difference between this document and the implementation tool kit Which contain folders from 00 to 12 -
Security Management System
La implantación del Sistema de gestión de Seguridad de la información estoy en la FASE de análisis de riesgos y vulnerabilidades a ver si me dan algunos consejos y pautas The implementation of the Information Security Management System I am in the PHASE of risk and vulnerability analysis to see if they give me some advice and guidelines -
Assets management
Buenas noches, tengo dudas con respecto a la gestion de activos, veo que dentro del paquete adqurido no vienen referenciados procedimientos de referencia en la gestión en sí, únicamente viene una politica de clasificación de activos y un inventario, ud tendrá un ejemplo de ellos y aclararme si es necesario un procedimiento la gestión de los activos y activos de información. Good evening, I have doubts regarding the management of assets, I see that within the purchased package there are no reference procedures referenced in the management itself, there is only an asset classification policy and an inventory, you will have an example of them and clarify if a procedure is necessary for the management of assets and information assets. -
New implementation: ISO 27001:2013 + ISO 27002:2022
Hi iso people. I'm in a middle of ISO 27001:2013 implementation. I'm just finishing chapter 9. Now I've read ISO 27002:2022 and I would like to implement the new controls instead of Annex from ISO 27001:2013. Will that get me in trouble if I write that we've decided to use the new set of controls and excluded Annex from 2013 completely?