Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001 package question regarding risk assessment
thanks for the call last week! I proceeded with the risk assessment. Just a small question: The evaluation of probability of a risk already takes into account the measures that we already have implemented - is that correct? Because in the methodology it says:
So that means: If we already have implemented several security measures for certain risks, the probability will be low in the risk assessment. This would lead to a quite small amount of not acceptable risks (3 or higher) that would be transfered to Anhang 2 "Verzeichnis Risikoeinschätzung" (currently around 12 risks to be transfered in our case).
Did I understand this correctly? Or do we need to evaluate the risk without taking into account the measures we already have?
Thanks for your help!
-
Cloud services auditability
Thanks for this… quite timely too as I am in the middle of undertaking research for a professional doctorate degree in information security. My research is around the auditability - or lack of - of cloud service providers by cloud customers. As a 3rd party assurance consultant we are getting more and more resistance from suppliers/partners of cloud services to audit them. My research aims to review existing cloud audit frameworks and draw out any gaps – and propose a new framework that allows CSP auditability. The proposal is to develop an audit authority that can perform audits of cloud service providers using the proposed framework. The audit reports can then be made available to businesses so they do not have to audit the CSPs themselves. I have contacted the CSA for their input and hoping to get their feedback soon. 1 - Would you happen to have mapping of cloud audit frameworks that highlights common controls and differences? 2 - Also what is your opinion on the Cloud Audit Authority proposal? -
Risk assessment Vs SoA
Dears, Once we handle Risk assessment and treatment plan, we will choose the controls necessary to reduce related risks. in SoA we have to go through 114 control and choose which of them are implemented or will be implemented or not applicable. So we are repeating the same steps in both Risk assessment and SoA ... so why not only go through the 114 control and this will cover both steps (controls needed to reduce the risk and SOA process) Appreciate your feedback -
About the IT security Policy and some documents mentioned as "implementation method" in the SOA
1. Filling the IT security policy we went into trouble on 2 points : 3.12.2. Clear screen policy Our current communication to employees is to lock the screen whenever they leave their desk and to shut down when they leave the office (with or without the PC), and at least every evening. Our PC are also configured to lock automatically the screen with a password after 5mn without actions. But we don’t have any automatic log out nor automatic shutdown. After a discussion with our IT administrator he does’nt know any solution to do so. Looking around with our consultants, none have seen such solution implemented by our customer, even the most concerned with security. Then we decided to continue with the current situation. However, describing the current policy is not possible and that automatic shutdown option cannot be removed from the IT security policy in Conformio… Could you help us? 2. 3.14. E-mail and other message exchange methods Trying to fill that chapter, we found some ambiguity in the usage of the term “Users” “Users may only send messages… Users must not send spam...” : the user is an inspearit employee sending mail “Should a user receive a spam…” : we understood that the user is probably one of our prospect who do not want to receive such mail “The user must save each message containing…” : the user is an inspearit employee receiving significant mails Did we understood well? If so, the thing is that we cannot clarify the sentences 2 and 3. It would be more explicit if “Users” were replaced by inspearit employees or prospect when applicable. In another hand, our Marketing and communication director doesn’t think that inspearit send any “spam”, but some informative or commercial communications… Once again, could you help us? -
Content of ISO 27001 & EU GDPR Toolkit
I´ve already seen the included documents, but I didn´t see:
which is a mandatory document for ISO 27000. Could you confirm please that it´s not a mistake?
In our company, we have our documentation for GDPR and ISO 27000 but we would like to improve it on our own using your templates and maybe be able to offer it to help some of our clients where possible.
-
CONTROLS A.18.2.1 AND A.18.2.2
How to implement this control when the company is very small, that is, it has 6 employees? Critical analyzes are usually carried out by the entire company team. In this situation, would it always be necessary to hire a specialized external organization, as suggested by the ISO27002 standard? -
Help with management review
I am enjoying the course thank you, and my company are going to pay for me to take the exam which is really good. I would like some help doing my first management review this week if you have any tips or templates on what I should be doing for this. -
ISO 27001 Mapping to CSA CCM Matrix
Where can I find the Advisera Matrix that maps ISO 27001 to CSA CCM (Cloud Security Alliance – Cloud Cloud Control Matrix) ? I have the ISO 27001 toolkit and do not see it there. I believe this was a downloadable doc from your Blog or Free Downloads section of your website not too long ago. -
How to fill out "Appendix 1 - List of Legal, Official, Contractual and Other Requirements
Do you have a specific company example of how to fill out "Appendix 1 - List of Legal, Official, Contractual and Other Requirements"? Unfortunately, the description in the document does not help me, nor do the linked articles. We need concrete examples to apply this to our company. - The same applies to the definition of the ISMS scope. Unfortunately, the linked articles do not help here either. Do you have an example from a company of what the definition can look like? -
Identifying Assets
One of our primary assets is our customer data which must be kept private. This data is primarily stored in an SQL database, but can also be found in printed form, email, staff member’s brains etc.
Since the customer data can take on so many forms the risks are relevant only to the form in which it takes.
So rather than list “customer data” as an asset, would I list each form of the data as separate assets i.e.
- Customer data in SQL database
- Customer data accessible by web application
- Customer data in printed form
- Customer data transmitted verbally
- Customer data in the minds of employees