Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Responsibility for classifying the assets
I have a question about asset inventory, who is the responsible to establish and to assign the propietario of an asset? And, In my company, the assets/information classification is: -
Information Systems Audit Control
I would like to know exactly how to implmeent The control 15.3.1 of ISO 27001 (Information systems audit controls) Is it about logging users activities on systems ? thanks in advance -
Information security policy - including references to clauses of ISO 27001 stand
Shouldn't I include subsections/references regarding the clauses in the 27001 standard (i.e. chap. 4 - 10 and Annex A) in the Information Security Policy that is included in the package? Otherwise how do I ensure that IS policy, as an umbrella policy, covers all IS aspects? -
What types of evidence is normally obtained for each of the controls
Ive watched several of your webinars, which I have found very helpful, and I have a question for you. Im working on doing an assessment of our current ISMS and Im trying to find what questions to ask and what types of evidence is normally obtained for each of the controls. Some of the controls are very straightforward but some of them are somewhat vague so Im looking to find some guidance. For example, control A.12.1.1 regarding documented operating procedures I feel could be interpreted several different ways. I looked on your website and could not locate any guidance when performing an assessment of these controls. Do you have any suggestions on where you think I could find this guidance? -
Who writes the Statement of Applicability?
Now I'm in the Statement of Applicability, but I have some doubts about it, for example, who has to fill the information of the SoA? The CISO or the departments involved? For example, for the controls of the item A.7 Human Resource Security is with the Human Resources Department? And, is necessary to establish the maturity level of those controls? -
Glossary of Terms about BCP
I want to know where can i find a list of term ... as a Glossary to training...??? -
Why does Annex A folder in the Toolkit include A.6-A.16 and not A.1-A.5?
Is there a reason why A.1 through A.5 are not included in the folder? -
Project Planning - does the calculator results implementation time for all of th
e selected controls?The calcutor estimated that my project would take 26 months based on my organization. Does that estimate include implementation time for each control selected as part of the Risk Treatment Plan or is it just the time from project start to creation of the Risk Treatment Plan? This is my first ISO270001 project, but I have significant Information Security experience and if it is "just" the time required to identify assets, assess risk, and build the plan the control environment then 26 months seems very long (I would estimate 6-9 months only). Thanks. -
Statement of Applicability for network security
Within ISO 27001 we have an SOA which states the controls for IS. Does an SOA for Network Security Exist? -
Narrow ISMS scope and an Information Security policy for the whole organization
We are working towards the transition to ISO 27001:2013 , but they are having problems trying to understand this: We are writing a new Information Security Policy to be used for the whole organization, but I like to keep the ISMS scope just for one system, the one thats is required to be certified ISO 27001. Is this possible?, Can we have a narrow ISMS scope but an Information Security policy for the whole organization? The SoA is extended to include all controls in the annex A, here is my problem, I like to keep the SoA aligned with the scope and they want to all controls marked as applicable even if they are not used in the system in the scope.