SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Should all applicable controls from Annex A to be fully implemented by the time
Should all applicable controls from Annex A to be fully implemented by the time of the certification audit? What proportion of the controls is acceptable in the status Partially implemented or Planned at the time of the certification audit ? How auditors regard such statuses in SOA? Could this lead to a denial of the issue of the ISO 27001 certificate? -
ISO 27001:2013
I am acting for a client who is hoping to go for certification next April and the original gap analysis was done on the 2005 version of the standard. We are keen to be following the 2013 standard so are making the appropriate revisions in documents prepared to date. We have a Risk Treatment plan and a Corrective Action process but In order to show the auditor that we have "converted" I have prepared an extra document which i have called a "Remediation Plan" document which sets out the old controls, the gap analysis score, the new control and the description of the new control which then has a plan of action next to the control (stating the work we need to do such as policy/procedure/process/review etc). The plan of action is really a project plan of the individual groupings on the Risk Treatment Plan in more detail. Do you think that is enough to ensure the auditor knows we have converted ourselves over? -
2005 revision deadline
My query is that we have engaged auditing body to conduct stage 1 Audit (June, 2014) in our organization. They have conducted audit on ISO 27001:2005 version and shared finding with us for closure, now we are closing stage 1 Audit findings and plan to engage our Auditor for Stage 2 Audit in mid September, 2014. Our consultant said that the BSI restricted to certify by September, 2014 on ISO 27001:2005 after that companies have to certify on new version that is ISO 27001:2013. The confusion is that If we certify on 2005 revision and unfortunately any major non-compliance raise by Auditor which takes 2 month to close for example, then BSI will certify us on 2005 revision or they said that its November, 2014 and the certification on older version was applicable till September, 2014? -
Minimum of three months for records for certification audit
One of our Customer insist there is a minimum of three months for records to be presented in an auditory. I don't find any clause where this period is mentioned. -
Question about CIA and asset inventory
I have a question about asset inventory... I stumbled with a doubt, The principles and scales of Confidentiality, Integrity and Availability are applied on the risk or on the assets?? or both?? How is applied the CIA principles in the new standard? to the risks or to the assets? -
Control A.12.1.1
In the "Mandatory documents and records required by ISO 27001:2013" section on the iso27001standard website, a document called "Operating procedures for IT management" is mentioned. However, the associated control (A.12.1.1) simple says "Documented operating procedures: Operating procedures shall be documented and made available to all users who need them" and mentions nothing about "IT management", so I'm wondering where that term came from. -
Question about ISO 27002
Why it is necessary to use of ISO 27002? if just certified ISO 27001. -
Which assets to assess during the risk assessment
My client is currently in the gap analysis phase of ISO 27001. The question I ave is: they have over 500 business applications. Do we need to risk assess all 500 applications? -
How to learn about infosec?
1. I have no or little experience in infosec but I want to get into this area any tips? -
ISO27001:2013 A.14.1.3 - Protecting application service transactions
Hi, For control A.14.1.3 - "Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay." I'm not clear exactly what this is asking and how it applies to us. Our company builds and manages cloud based software, and internally we use both cloud based and on-premise applications, so I expect that it will relate to these. But I'm not sure how. Can anyone please give me an example of how this control is implemented in their environment. Alternatively a better explanation of exactly what this control means will be great? Regards Damian