Search results

Home / Search

Category:
Select
Select

11272 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Project teams and BIA Questionnaire


    Answer: In my opinion, they should fill in BIA Questionnaire the same way as employees from regular departments - you'll notice that all sections, including sections e.g. 3 (General impact) and 4 (Financial impact) are applicable to project teams as well. Also the location where they perform their work (in your offices, or in your client's offices) doesn't make much difference - you can still estimate the level of impact in the same way.

  • Taking confidential documents away from workplace

    On which basis the information owner can give or revoke the right of taking out confidential and top secret documents for work purposes (working at home for example)? is there any controls or guidelines ?

    Answer: The decision whether to give this right should depend on the following: (1) is there a real need to take away this information? If not, then it should not be allowed, and (2) are there some unacceptable risks related to taking away this information? If yes, it should not be allowed.

  • Mail book in the Document Control Procedure


    Answer: No, Mail book is not necessary - you just need to keep track of important external documents (e.g. contracts, correspondence with government agencies, etc.) - where they are, and who is responsible for them.

    You can do it through Customer Relationship Management software, or Project Management software, or a simple Excel sheet will do. Or you can define in some document that the responsible person for all correspondence with e.g. government bodies is XYZ, and that this person is responsible for archiving all such correspondence.

  • Storage of confidential documents

    Sean,

    ISO 27001 doesn't specify where you should store your confidential documents, but the key issue here is the right of access: typically, documents classified as "Restricted" can be seen only by certain employees - if only those employees have the code to access the secure rooms, then it could be a good solution.

    Dejan

  • Operating Procedures for information and communication technology

    Sean,

    The procedure for auditing of suppliers and outsourcing partners is outlined in section 3.2 of "Operating procedures for information and communication technology" - basically, this auditing should be performed only if those suppliers or outsourcing partners create great risks for your company. E.g. if you are a bank, and a software company develops your core transaction application, then certainly you want to make sure they safeguard the security of your information.

    To be able to perform the audits, you have to include such a clause in the contract with the supplier/partner - you have an example of such clause in a document called "Security clauses for suppliers and partners". So, once you are authorized to perform an audit, you can do it either on-site (by visiting them) or off-site (they send you the documentation and other evidence by email).

    You can perform the audit yourself, or you can hire a professional auditor to perform the job - in any case, the goal of such audit is to determine whether the supplier/partner complies to all the security requirements you have stated in your contract.

    The audit is normally performed once a year, or once in three years. 

    Dejan

  • Information labeling; destruction of records

    You're welcome :)

  • ISO 27001 or COBIT


    - COBIT and ISO 27001 have many similarities, however ISO 27001 focuses on information security, while COBIT is more focused on IT governance; further, a company can get certified against ISO 27001, but it cannot certify against COBIT. So, you have to ask yourself - do you want to focus more on IT governance or information security? Is certification important for you or not?

  • ISO 27001 and PCI-DSS


    - I'm not an expert in PCI-DSS, but from what I know e-commerce merchants of certain size and payment card processors must implement PCI-DSS because this is what Visa and MasterCard require - therefore, it is mandatory in such cases. If you already implemented ISO 27001, and now you are starting to implement PCI-DSS, this doesn't mean you would have to do the same things twice - if the requirements of these two standards are the same, then you just use the controls you implemented for ISO 27001 for PCI-DSS as well.

  • Where to get ISO 22301


    - You can purchase the ISO 22301 standard here: https://www.iso.org/standard/50038.html - it costs ca 130 USD. You may be able to purchase it for a better price at your local standardization body.

  • Construction of Risk Analysis

    I do is following the lifting of the risk scenarios failures, there begin
    to identify risks for each scenario and also support me as generic risks by
    Cobit and ISO 2700X

    - I'm not sure if I understood the question well, but ISO 27001 requires to identify 5 elements during the risk assessment: all the assets, for each asset you need to identify threats and vulnerabilities, and then consequence and likelihood for each risk. You can find a detailed explanation in my webinar The basics of risk assessment and treatment according to ISO 27001 https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Page 1119-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +