Get a 20% discount on the first year of the Company Training Academy annual plan.
Limited-time offer – ends April 24, 2025
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 Risk Assessment
We are currently working on our asset register and risk assessment for ISO 27001. One thing that we are a bit unsure of is the column "existing controls" in the risk assessment table and how existing controls affect the risk treatment and the SoA. 1. What would you say counts as existing control and how "secure" does it need to be to lower the risk level? (documented, implemented as a process, etc.?) 2. If the already existing controls lower the risk level, which we suppose it does according to your video lessons, then the risk level might be so low that the risk doesn't need to be included in the risk treatment. And if it doesn't need to be included in the risk treatment, then we don't need to implement a control from Annex A to cover this risk? Have we understood this correctly? It seems a bit wrong to exclude Annex A controls that actually should be applicable. -
ISO 27001 query
I have a question. For an organization that having servers on premise and on cloud, to comply with 12.4.4 Clock synchronization: All systems should be configured with the same time and date. Which servers in the cloud that should have the same time as the servers on premise: SaaS DaaS IaaS or none of the cloud should sync? -
Toolkit content
I am responsible for updating our ISMS, while I am missing a template for the recovery process (start-up plan), which is under A17.4.5, is not enough for me, I have to define which server or service or process has to be restored first, or what dependencies there are. Do you have any further documents? -
Security asset inventory
Although there is information about creating an asset inventory, and what needs to be in it, it doesn't feature in any on the implementation steps. I normally create one before doing a risk assessment and use the content for the risk assessment so there is cross mapping, I'd be interested to hear your thoughts. -
Query on SOC 2 certification
I have a query, how much of this documentation can be reused if the organization also wants to pursue SOC 2 certification ? -
Conformio - acceptance of residual risk in reports
My recollection is that where the residual risk was 3 or more, i.e., unacceptable, we reviewed the risk and the risk owner could decide to accept the residual risk. The fact that the risk owner accepted the risk does not seem to be recorded anywhere in the reports. Where can I find that? I can’t see where we say that a residual risk is accepted -
Query on Classification of ISMS
Query related to ISO 27001 ISMS - (Classification of Non - Conformity) In Advisera ISO 27001 Document toolkit, it is given/recommended that organization must provide classification for the risk. The query to be resolved are as follows: Whether organization is supposed to provide classification for Non-Conformities as well? If yes, please, suggest the method/mechanism to be adopted for the classification of NC's as well. -
Datacenter room
A question about what characterizes the CPD, where the room will not have any server only a firewall and internet modem, can it have wooden cabinets? what does iso 27001 charge? iso 27001 requires a room for endpoint maintenance, it can be next to the CPD room, there is a prohibition on having wooden furniture inside the room. -
Scope of the ISMS
I have some questions about the definition of the scope of the ISMS. We're a small software company (less than 50 employees) and we both develop and provide software as SaaS. I understand that the scope should include the whole organization (office, employees, assets, etc.), as well as the processes we've implemented to develop and maintain our software. What is not clear to me is whether we should make explicit mention of these software products. Isn't it implicit that any application developed according to the practices laid out in the ISO 27001 standard is inherently compliant with it? A previously answered question states that "an application cannot be defined as an ISMS scope." [1] Most certificates I've seen simply state "software development", but some do mention their software solutions in the scope definition (e.g. MongoDB [2]). Does that ultimately make a difference in our ISMS or is it merely a question of public image and marketing? -
Question about the risk assessment table
First of all, I wish you all the best for this new year, to you, the whole Advisera team as well as your loved ones. Starting this new year with our Risk Assessment Table, I was wondering how detailed it should be. I'm sure that, by thinking about it, I could add and add specific points, but I'll have to stop at a certain point. Any general advice about this? more concretely, as our ISO 27001 certification is focused on our SaaS platform, we use a lot of different cloud providers resources, like databases, servers, and many different tools. Is this a best practice to list them all and find potential threats and vulnerabilities for each one? Two examples: - We use *** and *** as 2 separate databases. Should I list both of them or can I "simply" mention that we use "databases" and find threats and vulnerabilities that are applicable to both of them? - We use *** and *** as documentation tools (that can include sensitive information). Should I address them separately?