Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
2005 revision deadline
My query is that we have engaged auditing body to conduct stage 1 Audit (June, 2014) in our organization. They have conducted audit on ISO 27001:2005 version and shared finding with us for closure, now we are closing stage 1 Audit findings and plan to engage our Auditor for Stage 2 Audit in mid September, 2014. Our consultant said that the BSI restricted to certify by September, 2014 on ISO 27001:2005 after that companies have to certify on new version that is ISO 27001:2013. The confusion is that If we certify on 2005 revision and unfortunately any major non-compliance raise by Auditor which takes 2 month to close for example, then BSI will certify us on 2005 revision or they said that its November, 2014 and the certification on older version was applicable till September, 2014? -
Minimum of three months for records for certification audit
One of our Customer insist there is a minimum of three months for records to be presented in an auditory. I don't find any clause where this period is mentioned. -
Question about CIA and asset inventory
I have a question about asset inventory... I stumbled with a doubt, The principles and scales of Confidentiality, Integrity and Availability are applied on the risk or on the assets?? or both?? How is applied the CIA principles in the new standard? to the risks or to the assets? -
Control A.12.1.1
In the "Mandatory documents and records required by ISO 27001:2013" section on the iso27001standard website, a document called "Operating procedures for IT management" is mentioned. However, the associated control (A.12.1.1) simple says "Documented operating procedures: Operating procedures shall be documented and made available to all users who need them" and mentions nothing about "IT management", so I'm wondering where that term came from. -
Question about ISO 27002
Why it is necessary to use of ISO 27002? if just certified ISO 27001. -
Which assets to assess during the risk assessment
My client is currently in the gap analysis phase of ISO 27001. The question I ave is: they have over 500 business applications. Do we need to risk assess all 500 applications? -
How to learn about infosec?
1. I have no or little experience in infosec but I want to get into this area any tips? -
ISO27001:2013 A.14.1.3 - Protecting application service transactions
Hi, For control A.14.1.3 - "Information involved in application service transactions shall be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay." I'm not clear exactly what this is asking and how it applies to us. Our company builds and manages cloud based software, and internally we use both cloud based and on-premise applications, so I expect that it will relate to these. But I'm not sure how. Can anyone please give me an example of how this control is implemented in their environment. Alternatively a better explanation of exactly what this control means will be great? Regards Damian -
If a UK parent company is ISO 22301 certified is the US subordinate company also
covered?If a UK parent company is ISO 22301 certified is the US subordinate company also covered? -
About ISO 27003 for ISO/IEC 27001:2013
I have a question if you can help me please: Is the ISO/IEC 27003:2010 adjustable for implementing ISO/IEC 27001:2013, or is applicable only 2005 version?