Please select user.
There are no topics yet.
We are currently preparing for our control audit.
However, due to personnel changes I am contemplating to change certain aspects of the SOA to reduce unnecessary overhead.
What effect will the removal of controls e.g. A.14 have for the audit and our certification scope?
Can Changes to the SOA only be made prior to certification audits?
I am curious to get some input in regards to how you manage Suppliers of critical systems. At the moment I am struggling with deciding wheater we should consider all providers of citical systems also as a critical supplier and handle them in our supplier handling process. All critical systems are handled, risk assessed etc. according to our Asset management process. But I now ask myself if it is neccessary to also have all of them inserted as critical supplier and go through all the administrative work related to that.
example: we use Hubspot and this has been evaluated as a critical system. It is included in our system asset register, has gone though a comprehensive system review and we have the relevant contracts/agreements in the contract database. Would you also add Hubspot in the supplier register as a critical supplier? Which means that we will also evaluate the supplier on a regular basis etc.
Another aspect to this is that for systems that we "purchase" via a supplier.. then we don't have the actual provider of the system registered as a supplier but the partner that the system provider is using.
I would love to hear your thughts on this.
A.14_Politica_de_desarrollo_seguro_27001_ES", necesitamos saber para punto "3.3 Principios de ingeniería segura", ¿si estos principios debe ir detallados en esta política?, y si ésto es así, ¿que principios se deben incluir? o proporcionar alguna documentación o ejemplo para complementar este punto.
I should have clarified on the initial request but for the register of requirements, if we don’t have any legal, regulatory, or contractual security obligations do we also list internal security policy requirements, or is this section left blank? While we do have MSAs, we don’t have a specific security control agreement with clients currently.
We want to be compliant with the Baseline Information Security for Dutch governments, abbreviated as the BIO. For more info https://bio-overheid.nl/ This baseline is a selected subset of ISO27002 controls. Controls selected based on information security risks for Dutch governments. We already created information security policies, procedures and implemented most of the organizational and technical controls.
1. would it be acceptable for the ISO27001 certification to do a risk assessment and treatment with a GAP analyses of the technical and organizational controls described in our information security policies? A risk would come from not having implemented a technical or organizational control. The treatment would be: implement the technical or organizational control.
2. if so – do we have to implement all technical and organizational controls before we start the certification process? Or I it sufficient that we proof we are in control of the risks by following the ISO27001 ISMS norm?
I am using the Document Wizard to write the Disaster Recovery Plan. Section 11 requires me to specify the archives of the person in which the records of recovery steps implementation (in paper form) are store In my company, we keep all documents and records in electronic form in Sharepoint. The IT Dept documents their technical work procedures using One Note or MS Word. DRP test reports are prepared in MS Word and filed in pdf form
My company is due to re-certify on ISO27001 at the end of the year. If we re-certify on the 2013 ISO 27001, would we have to keep this for the whole 3 years, or are we able to re-certify for the 2022 version next year?
Any help would be appreciated.
We are hoping to have antivirus software installed on every Macbook and iOS device to have the Jamf or Miradore platform because our company exclusively works with IOS applications. The problem is that we are unsure if that complies with ISO 27001, so I needed your help in this situation.
Jamf is primarily focused on managing and securing Apple devices such as Macs, iPhones, and iPads. It provides a range of tools for device management, including inventory management, software distribution, patch management, and security controls. Jamf can help organizations implement some of the controls required for ISO 27001 compliance, such as ensuring that devices are properly configured and that security updates are applied in a timely manner. However, it does not provide comprehensive support for all aspects of ISO 27001 compliance.
Miradore, on the other hand, is a more general endpoint management platform that can be used to manage a wide range of devices, including those running Windows, macOS, and Linux. It provides a range of tools for device management, including inventory management, software distribution, patch management, and security controls. Miradore can help organizations implement some of the controls required for ISO 27001 compliance, such as ensuring that devices are properly configured and that security updates are applied in a timely manner. However, like Jamf, it does not provide comprehensive support for all aspects of ISO 27001 compliance.
In summary, while both Jamf and Miradore can be useful tools for managing and securing endpoints, they are not designed specifically for ISO 27001 compliance.
So could you please help us with this?
How to register to work in cyber security?
I took part in your recent "Discover Best-in-class Practices for ISO 27001 Risk Assessment live virtual training". No mention was made of the new Attributes Table in the 2022 version - the text of the Standard would appear to indicate that their use is not compulsory? Can you please clarify and if not mandatory what is their purpose? Many thanks