Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
HIPAA & ISO27001
We've spoken previously regarding ISO27001. I'm working with a software developer supplying into the aged care market. While in Australia, some providers ask if the developer is HIPAA compliant, a US standard/set of rules. If you are aware of HIPAA, how do you think about it in in line with or against ISO27001? -
BIA process
Good afternoon. Trust you are good. I want to pick your quick thought on some business continuity matters. In the BIA process for every department, does this represent the BIA for the information security department? -
ISO 27001 and HiTrust
I have a question about HiTrust. Does ISO27001 cover HiTrust too? If so, do you have documentation about it on your website? -
ISO 27001 and TISAX
How would you compare from the requirements standpoint ISO27001 and TISAX? Are comparable Standards at all? One more specific than the other? -
ISO 27001 / Conformio questions
1. Can I as the Project Manager of the ISO 27001 also conduct the Internal Audit? Or should this be done by someone who is not as involved in the project implementation? 2. When should the first Management review be conducted? At the end when we have all of the documents, or while we are implementing the policies and procedures? I am asking this because there are some items that have first occurrence set as one month after the start of the project so now I am afraid that I was supposed to do this from the beginning. -
Process vs Procedure
In your toolkit for 27001 I noticed you have templates for “Processes.” Is Process the same as procedures? Please advise. -
Addressing Annex A clauses
To be compliant with ISO27001, how do we address the 10 clauses other than the Annex control documents? Do we need a generic main big document to address the clause by clause? -
Statement of applicability A.9.1.2 (Access to networks and network services)
I'm working on the SOA document. I've previously defined our assets and have prepared the risk assessment. In the SOA document I see the A.9.1.2 (access to networks and network services). So far, I've defined assets like "commercial documents", "databases" and so on. Accessing all these assets must of course be protected. So avoiding using public wifi networks will be specified in the Access Control Policy document. My question is the following. As using public wifi can be considered a valid thread for all IT assets we can access remotely, in the risk assessment list of item, can I just add a global asset called "internal IT resources" that will have the threat "using public wifi" and vulnerability being "public wifi networks are not secured by nature" ? So this global asset would comprise other more specific assets. Or do I have to specify this risk for all specific assets I've defined ? -
Control of Suppliers (Contractors)
It is very common these days fro businesses to outsource software developement and have contractors work as part of a team. I am hoping for advice to control these developers... We have several developers that are contractors but they are working as part of several internal teams. They are in a different country and have their own laptops, internet connections (and offices) - my company prefers not to purchase and provide a laptop and the deveopers prefer to use their own - but will not allow any software to be put on their laptops or to control their laptop in anyway. As part of our ISO 27001 controls - they need access to our Microsoft Devops environment and also have access to outlook, teams and Sharepoint. We are looking to put in place a rule (somehow - Azure or endpoint manager ??advice??). that says the laptop/computer must have encrypted drives, Antivirus, be up to date with O/S patches..... as a minimum to connect for standard development. While not completely controlling the laptops/computers - would this be enough for most people to allow ?? Would this pass the general acceptability for most companies who have ISO 27001 ? (We have a requirement already that access to live Private data or information would require a company owned laptop) Any advice is welcome.... -
SaaS provider
In the Risk assessment exercise, as SaaS provider, we are quite focused on protecting PII and other customers data. But I was wondering whether the customer itself could be considered as an asset for the ISO 27001 certification. For example, a threat would be "losing customers" and the vulnerability would be "not being able to guarantee SLA in Incidents management". Would it be something to consider for our ISO 27001 certification ?