Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Control of Suppliers (Contractors)
It is very common these days fro businesses to outsource software developement and have contractors work as part of a team. I am hoping for advice to control these developers... We have several developers that are contractors but they are working as part of several internal teams. They are in a different country and have their own laptops, internet connections (and offices) - my company prefers not to purchase and provide a laptop and the deveopers prefer to use their own - but will not allow any software to be put on their laptops or to control their laptop in anyway. As part of our ISO 27001 controls - they need access to our Microsoft Devops environment and also have access to outlook, teams and Sharepoint. We are looking to put in place a rule (somehow - Azure or endpoint manager ??advice??). that says the laptop/computer must have encrypted drives, Antivirus, be up to date with O/S patches..... as a minimum to connect for standard development. While not completely controlling the laptops/computers - would this be enough for most people to allow ?? Would this pass the general acceptability for most companies who have ISO 27001 ? (We have a requirement already that access to live Private data or information would require a company owned laptop) Any advice is welcome.... -
SaaS provider
In the Risk assessment exercise, as SaaS provider, we are quite focused on protecting PII and other customers data. But I was wondering whether the customer itself could be considered as an asset for the ISO 27001 certification. For example, a threat would be "losing customers" and the vulnerability would be "not being able to guarantee SLA in Incidents management". Would it be something to consider for our ISO 27001 certification ? -
ISO 27001 Certification Data
My queries: (1) How many Months of Data/Records of implementation is needed for the ISO27001 Certification, and (2) What is the usual Timeline for the ISO27001 Certification from preparations, training, Stage1, Stage 2 Certification. -
ISO 27001 Staff Security Awareness
Good Morning. I hope that you are able to answer a question for me please. Control A.7.2.2 states that "All employees of the organisation and, where relevant, contractors shall receive appropriate awareness education training and regular updates in organisational policies and procedures, as relevant for their job function." We are a small Company and currently deliver IT Security Awareness sessions via in person presentations once or twice a year. The attendance is mandatory and captured to provide evidence of provision. Are you able to advise please if this would be sufficient to satisfy an ISO 27001 audit or would the frequency of this training need to be increased and/or delivered through something more formal, such as an online training portal, with a test at the end of each session. Thank you in advance for your advice. -
ISO 27001 measurement and Monitoring
I have some thoughts around the measurement and monitoring part of the ISO 27001 framework. 1. Is it the controls from Annex A that needs to be monitored and measured, or also other parts of the ISO standard? 2. Is the measurement part mandatory for all controls or can we somehow motivate which controls that we choose to measure? 3. How detailed does the measurement need to be? Can the internal audit be enough as a method for measurement or is this too non-specific? -
ISMS Policy vs Information Security Policy
Are the ISMS Policy vs Information Security Policy the same or different polices? -
SOA Table ISO 27018 specific controls for processing Personally Identifiable Information (PII)
The ISO 27018 table in the Cloud Toolkit SOA are completely wrong in terms of clause ids. when mapped to the standard. This is a mess. Are the references in the toolset documents for the 27018 clauses wrong too ? Can you please fix asap. I need a table of which of your documents that map to the renumbered clauses in ISO Standard. -
Question - ISO 27001
Hello – I am a partner with you and have the following situation I hope you could advise on….. I have a client who has 1 Director and no employees, and he uses Contractors (Suppliers) to perform all the work for him – and he is looking for ISO 27001 certification His business is a website registration system, and it is mostly Software/website development. Questions: 1. How do you put in place HR systems when there are no employees ? Would this be more about Supplier management ? and supplier worker management ? 2. With Software Development - Would they either: (a) require suppliers to follow his requirements or ISO Compliant software development manuals. OR. (b) require the subsidiary to produce there software development manual (which meets the requirements of ISO 27001) – which he approves? I hope you can advise? -
ISO 27001 implementation requirement
The instructor has mention that "conducting the risk assessment is in plan phase? which is an actionable and more to be in Do phase?