Hi Dejan,
I have a question regarding the Asset management procedure,
Shall we build such procedure? if it is so what should it encompass? and what we really mean by Assets (Are they only Desktops, laptops and servers or all type of assets (physical, software, hardware, intangible ...)
Thanks in advance
Setting the scope of ISO 27k certification
In trying to explain what we are doing, I get my audience confused when sometimes I use the term the system to refer to the data processing system (in our case an e-commerce application) and sometimes the system is the ISMS. When I say system to the business unit, Sr. management, the CFO office, etc. I am sure they interpret system to mean some information processing system (some information technology black box) when in fact it is a really a business process. (I really hoped they were going to drop the term ISMS as, for some reason at least in the U.S., to refer to a business management process as a system seems unnatural.) Do I just have myself confused or would you have some advice how I can disambiguate the data processing system from the ISMS that controls it.
ISO 27001:2013 standard - student copy
Hi,
As a student or an individual is it possible to get a copy of new standard at subsidized rate?
Regards,
Mukta
Can the risk be accepted and the control not applied?
We are in the initial stages of obtaining our ISO-27001 certification and in doing so we are up to the Pre-certification step. During the pre-certification we reviewed our Statement of Applicability and in particular our Out-of-Scope controls. One control that was found to be a low risk during the Risk Assessment and senior management has agreed to accept the residual risk; and we determined it be out of scope, is being demanded by the auditor to be in-scope. Is that permitted? Based on our scope and boundaries as well as documented exclusions, the control does not come into play. Im trying to gather some additional information on the determination of in-scope vs. out-of-scope.
Setting the ISMS scope for data center
Since my ISO program is focus on one of our data centers, the data center was maintained by operation team, infra service was supported by Infra Team, also development team for application development
Which controls to apply?
Is there any control that I have an obligation to implement? For example, the control 11.3.1 - Using passwords - I have to use this control considering that all employees work with computers? Or depends on the risk assessment?
Certify against ISO 27001 2005 or 2013?
I am currently implementing the ISO 27000:2005 ISMS and hopefully certify in June or July of 2014, I can do it with the 2005 version and I have to do with the 2013? Why in that case I have to make the transition.
BIA questionnaire
Hello Dejan,
What´s the objective of the "Time after which the resource is necessary" in the part 2 (Resources required for recovery)?
How to implement all policies and procedures for stage 2
I've received this question:
We have passed Stage 1, Could you please suggest how to implement all policies and procedures for stage 2 and what exactly they check on Stage 2.
Answer: At Stage 2 audit, the certification auditors will check if you really operate according to your policies and procedures - so for example if you have written that you will perform backup every 2 hours, then the auditor will check if this is really done so.
So the answer to your question is: you have to observe all the rules you have documented.
Change in risk assessment methodology in ISO 27001:2013
In the new ISMS Standard, is there any change in the methodology of calculating Risk to be adopted?