Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Vocalbulary
"We have 2 terms for: ENGLISH: Risk evaluation, assesment risk (there is not glossary) -
Asset owner and risk owner - how exactly are the two differentiated?
I've received this question:
"Regarding the asset owner and risk owner when it comes to people. How exactly are the two differentiated? For example a Network Administrator. Would the asset owner be self and risk owner be department manager?
Answer: I assume you are asking a question related to people as assets in terms of ISO 27001. For Network Administrator, the asset owner would be his direct boss - e.g. the Head of IT department; risk owners should be people who can resolve particular risks - e.g.:
risk of performing wrong activities because of non-existing rules - risk owner could be Head of IT department risk of performing wrong activities because of lack of training - risk owner could be Head of HR department
This article can also help you: Risk owners vs. asset owners in ISO 27001:2013 https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/ -
Involving the management in the BCP process
"I had the opportunity to work with the implementation of this standard two years ago. In addition, had the opportunity of offer few training regarding BCP and share experience with few industries here. -
ISO27001 Risk Register
We have received this Question : "Im preparing the risk register.Let take asset as "firewall" Threat as Hackers and there would be lot of vulnerabilities associated with this threat (Improper access rights, Misconfiguration, lack of rule base audit...etc) But i have seen risk registers with one threat and they write only one vulnerability. Please provide your inputs regarding this query." Answer: Risks are better expressed in terms of scenarios « this happens to that element under these circumstances and causes this level of damage ». Each asset can have several threats that in their turn have several vulnerabilities. So we recommand, for a comprehensive risk registry to have one line per vulnerability and one group of vulnerabilities per threat. If a register only shows one threat or vulnerability for each asset, its probably because the risk manager has, after analysis, only kept the worst case. An auditor should accept all what you included in your risk registry, but you will have to explain what you did to come to this registry and how you di dit. It s your security that counts, not the way how the auditor thinks it is. Note : The Asset-Threat-Vulnerability method is only one possible approach for risk analysis. -
Access control
What is the best way to set up within our organization the team that do the acces control task, in order to have a correct segregation of responsabilities. -
Question regarding the procedure for document and record control
Currently, we are faced with a question regarding the procedure for document and record control: within our certified quality management, we already have such a procedure in place. However, this procedure only applies to documents and records of the management systems, as well as for templates, guidelines and other policies that are binding for employees. In contrast, documents and records that are, for instance, created within customer projects are only implicitly part of the document control, i.e., employees should use the templates that are part of the document control (if applicable). In fact, the templates contain a mandatory field for the confidentiality class and we also will have a policy for classification and labelling of information. Nevertheless, probably a lot of information exists that is not or rather cannot be documented by the use of the controlled templates. Now, we are wondering whether or not the current scope of documents and records to be controlled is also sufficient in terms of the ISO 27001 requirements, in parti cular, in light of the plan to have a policy for classification and labelling? -
ISO 22301 and ISO 31000
1. What are the key differences between ISO 22301 and ISO 31000... since at a glance they look similar? -
Question on clause 9
While implementing ISO 27001:2013 for a leading bank, I am stuck at clause 9. -
Risks of external email service provider
We have an external email service provider, the risks of information security are low, because they manage everything, we just send them the list of products with prices. I do not see risks that impact the organization, what do you think you? -
Should all applicable controls from Annex A to be fully implemented by the time
Should all applicable controls from Annex A to be fully implemented by the time of the certification audit? What proportion of the controls is acceptable in the status Partially implemented or Planned at the time of the certification audit ? How auditors regard such statuses in SOA? Could this lead to a denial of the issue of the ISO 27001 certificate?