What happens in ISO 27001 Stage 1. What documents they will look?
Third Party Providers vs. ISMS Policy conflictions
I have a concern presently concerning ISO27001 and company ISMS policy / third party agreement guideline vs. a third party who plays a large role in company activities.
Our third party agreement guideline states that third parties shall compy with certain security requirements.
We have a provider that has stated they are not iso27001 compliant but use many ISO 27002 principals, which is fine, but we are attempting to have them sign our agreemen - they do not want to sign, and I QUOTE
"Because such a framework is subject to extensive governance, both internally as by external auditors and our overseers, security is not an area where we (they) have the liberty to accommodate and apply different security requirements per individual customer" UNQUOTE
They have also provided a statement to replace what we have asked " QUOTE
X shall at all times operate and manage the information security, reliability, resilience, and technology planning in accordance with its security control policy. In order to provide a more understandable framework for its specific business, the X security control policy is organised around the 5 key dimensions of: governance, change management, confidentiality, integrity and availability. X has implemented a number of initiatives that enhance security, including a company-wide commitment to adopt many of the principles of ISO 27002, which is the code of practice for information security management. This involves, amongst others, risk management practices in line with ISO 27005 and NIST standards. These internationally recognised standards provide wide-ranging security guidelines" UNQUOTE
How does a company get passed this in ensuring they apply to the company security requirements especially when this aspect can be audited?
Is this acceptable?
Thanks for your reply
I just purchased the foundations 2 webinar which I thought would show me how to complete the management review? am I looking in the wrong place? and if so can you change my subscription to the right webinar.
How many work hours are needed for ISO 27001 implementation
Typically how many total hours work would an internal person/team need to invest to gain ISO27001 certification?
Project teams and BIA Questionnaire
How do project teams complete BIA Questionnaire when their main role is 'supervision' of project execution and delivery carried out Contractors on site?
Taking confidential documents away from workplace
According to our "Information Confidentiality Classification Guideline". The Confidential and Top secret paper documents could be taken away from workplace for work purposes but with Authorization of information owner required.
Mail book in the Document Control Procedure
You talk of a "mail book" in the Document Control Procedure. Can you please give further clarity on this and if its mandatory? We don't really have any important log documents my small mail.
Storage of confidential documents
We have key coded secure rooms within our office. Would it be ok to store information considered "Confidential" or "Restricted" within these rooms or would they need to be stored in locked filing cabinets?
Operating Procedures for information and communication technology
Under your toolkit the "Operating Procedures for information and communication technology". Point number 4 Managing records based on this document states
"Reports and records related to monitoring and auditing suppliers/ partners - electronic and paper form"
I'm confused as to who we are supposed to audit and how we are supposed to audit them ?
Information labeling; destruction of records
Regarding information labelling, will we need to have all our information labelled or is it ok if employees are doing it as a process going forward?