Get a 20% discount on the first year of the Company Training Academy annual plan.
Limited-time offer – ends April 24, 2025
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001/Conformio questions
1. The Risk Register flow seems to be inverted. Can you explain why vulnerability comes before the threat? We were under the impression that we would first need to evaluate the threats related to assets, and then the vulnerabilities. 2. Regarding the inventory of assets - in Conformio we have a list of general assets, like computers, but we would like to have a separate document with a list of all the assets within our company, such as which types of computers we use. Is this needed for the successful implementation? -
ISO 27001 Scope
1. Do we have the ISO 9001 certification where its scope is "Customer Service and Telemarketing", is it possible to indicate the same scope on the SGSI? 2. If the YES is the answer on the scope of the ISMS, should it be included in the point 3.1 of the document on the scope of the ISMS? The inside of the point 3.1 must detail all the processes that interact within the "Service of Customer Service and Telemarketing” -
ISO 27001 Internal Audit practice and tips
Can you share some good practices when auditing ISO 27001 ISMS and Annex controls? Thanks -
What to do with legacy documents & materials
1 - I am looking at our options in regards to planning a roll out of an information classification and retention policies and tools to withing our organization to help users identify, classify, and protect sensitive data and assets for ISO 27001. Currently we have been filing all our information haphazardly in Dropbox. No standards. No management of the Dropbox folders ... so it's a mess. With 27001 we plan to setup a new structure in Dropbox and migrate/convert the Company documents/assets into the ring-fenced folders, and then freeze the existing Dropbox folders, with a long term objective of sun-setting the content. Is there a tried and tested method for this task. We have limited resources so it will take time to do. 2 - My other question is, will the auditors want to look at the legacy materials. Our aim is to put an ISO stake in the ground and have all relevant / supporting PowerX docs filed in the new folder structure. For ISO 27001 we will use Dropbox as the DMS, but will most likely migrate to alternative Apps/Software, such as Conformio in 2023. -
Risk Assessments in Conformio
1. Can assets be put in a hierarchy, so that filing cabinets can be seen as part of an office building, or firewall as part of a server? I think this would have benefits for overview and determining potentially assets affected by incidents related to other assets below or above in the hierarchy. I'm not sure whether this makes sense from a Risk Management perspective. 2. I see the same vulnerabilities for different assets, like inadequate change control for laws, regulations, etc but also for policies, procedures and work instructions. Is there a way to optimize this and to reduce the number of vulnerabilities? -
Question ISO 27001 implementation
I follow Advisera articles and Foundation Course now to learn about the implementation of ISO 27001. Thanks to all for this sharing. I want to ask you something if you could answer I will be pleased. I started to make an internship in a company and I research the steps of implementation ISO27001. This company is a small company and it's a sister company of another company. Bigger company and this company work in the same buildings right now, it even continues as an extension of the big company. Most of their assets are the same, their product and the employees are different. If this small company wants to get a certification, it is possible, right? The small firm wants to get certified In this case, I am confused about how ISO processes can be applied. Because every written procedure policy also affects the members of the other company. Awareness training will have to be given to them as well, and the management of the other firm will have to agree with it. In this case, should these two companies get ISO 27001 certificate together? Or can only this small firm get this certificate? Or should the two companies separate everything thoroughly before the certificate? Could you help about this point? -
Does ISO 19011:2018 align or integrate with ISO 27001?
Does ISO 19011:2018 align or integrate with ISO 27001 and if so how? -
Infosec procedures
I am looking for two procedures: Vulnerability Management and cryptographic / encryption key management. Vulnerability procedure on how many scan are necessary for each classification asset (critical, medium, etc), necessary work to do, documentation process, etc. Cryptographic on how to protect keys, private keys, emergency access to keys, encryption methods, code signing certificate, etc Baseline: ISO 27002 - 10.1.2 OWASP: Key Management Cheat Sheet (key life cycle management (generation, distribution, destruction) ; key compromise, recovery and zeroization ; key storage and key agreement) -
Quantity of risks
Good day Dejan, I hope things are going well in your part of the world? We at *** are slowly working on our ISO27001 accreditation and would appreciate some guidance from you please. How does the attached Risk Table look for a small IT services company with ~15x people? When we spoke last, you suggested that we do the certification for our whole business as opposed to just our SOC portion, so I’ve considered elements from our offices, hosted customer environment and our new SOC. I’ve used ~50x of your standard assets, combined with your standard Threats and Vulnerabilities, and have come up with ~200x Risks. ~15% of these will need further attention later in the process based on their risk score. Are these risks and numbers appropriate, or do we need more / less / different? I don’t want to get too far ahead if this stage still needs more work. We still need to share it with our technical people who could very well raise some additional assets and associated threats, vulnerabilities and risks. I also don’t want to add too many risks if they are effectively trivial, but also want to demonstrate to an auditor later that we have applied our mind to the task. Would you be available for some feedback by email and/or online meeting in the next 2-3x weeks? 7x hours time difference to Perth so probably 9am your end / 4pm our end will work. Look forward to hearing from you. -
ISMS metrics related to Scope
Dears, please, the scope of our Certification is purerly focused to Product development data security. Have you got any tip or examples of PD relevant ISMS metric/s? Of course without specific data, like names or values. Just to have as inspiration for us. Thank you in advance...