Please select user.
There are no topics yet.
How would you perform an Audit of an application hosted on a private cloud virtual server?
I was assigned to do a review on company (financial institution) IT and IS Risk Assessment. However, i am confuse about the difference of both assessment? how will I start? And what about IT Risk Policy Manual and IT Risk management Framework is same? how is this related on both ISRA and ITRA?
Dear Team, I have across a certifcation body for my company's ISMS certification. The certification body is accredited by IAS. When i looked at the scope of accredition, the countries of operation is Quatar. I want me US entity to be certified. In this case is it advisable to go with the certification body?
COuld you guide on this.
I am currently running back through the statement of applicability, and was wondering what is expected of us when it comes to the audit for the justification and control objectives column. I don't necessarily have legal or contractual reasons for justifying some controls, but they still apply. For example, we are fully remote so teleworking applies. Am I allowed to fill the justification in for this with the reason being that we operate on a remote structure?
I would like to know what kind of evidence is acceptable for the InfoSec Awareness Training, is a report of all employees who completed the training enough?
What kind of documents are required to satisfy this clause? We have principles in place, but I'm unsure of documentation needed.
Our company has a good incident response plan in place, however it's a requirement of the ISO27001 that we also have an incident management procedure? Do we need this in addition?
Below are the reasons why numerous incidents need to be removed:
Since currently incidents from the Incident Register cannot be removed, What are we supposed to be doing now with respect to external auditing? We are quite concerned that numerous incidents contradict the incident procedure and can be marked as non-conformity which will cause a failure. ( Client wants to remove incidents under the incident register in Conformio, but for now, we do not have the possibility to delete)
I'm having on how to rewrite our internal policies so that we can get ISO27001 certified. The main issue I'm having is deciding how detailed our policy needs to be. Basically, what are the minimum requirements to achieve compliance? For example, ISO27002, 11.2.8 unattended user equipment. We already automatically lock workstations after 5 minutes through group policy. Is that enough to comply with part a)? I'm worried that if I make the policies too detailed, we won't be able to have evidence for everything and we'll get struck with a non-conformity when we fail to present evidence. Going off the same example I gave you, is it simply showing the auditor that we've configured our group policy to do that enough evidence? Or will they ask for evidence in the form of logs? Something else that interests me is how to deal with remote employees when rewriting our policies? How do we enforce a clear desk policy if they're working from home?
The auditor has indicated that there are a number of 2021 policies where we cannot demonstrate per date stamping in Conformio that the policies are valid/current in 2022. we don't want to change anything in the policies (e.g., information security policy), but how can we demonstrate that an older policy is still valid in 2022 given it is date stamped 2021.