Search results

Home / Search

Category:
Select
Select

11270 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • ISO 27001 Stage 1 & 2 Audits

    The standard ISO 17021, which defines requirements for bodies providing audit and certification of management systems, in its clause 9.3.1.2.4, requires certification bodies to determine an interval between performing stage 1 and stage 2 audits but does not prescribe any specific interval, so the interval is defined according to each accreditation body.

    Common practice is an interval between 30 and 90 days.

  • Organizational chart - ISMS

    1 - Does ISO 27001 require the presence of a CISO or an Information Security Manager in the organizational chart?

    This role is not prescribed by the standard, so you can designate any existing role in your organization, or create a new one, to perform activities generally performed by the CISO/Information Security Manager.   

    For further information about the CISO, see:

    2 - What are the roles that must appear in the organizational chart by ISO 27001 requirement and that we should include in the current *** organizational chart?

    Besides top management and internal auditor, ISO 27001 does not specify any other roles for information security, so you can include any specific role you consider relevant. 

    3 - Could all these roles be covered by *** current QARA Manager?

    I’m assuming that by QARA you mean Quality Assurance & Regulatory Affairs.

    Considering that, provided that the QARA manager has the competencies needed to perform the roles relevant to information security, this person can assume these roles.

    4 - What do you recommend in this regard?

    Roles and responsibilities generally designated to a CISO are very similar to those of a QMS manager:

    • ensuring that the ISMS conforms to the ISO 27001 requirements
    • reporting on the performance of the ISMS to top management

    Considering that these management activities can be designated to the QARA.

    However, some security roles may require expertise in other areas that may require to be performed by other roles (e.g., network security, performed by an IT analyst).

  • A proof for fulfillment of requirement A.9.5.1 from ISO 27017

    I’m assuming you are referring to control CDL 9.5.1 - Segregation in virtual computing environments.

    Regarding the “Risk assessment performed” you can show as evidence the last risk assessment and treatment report, showing to which risks related to “customer-developed/supplied software in the cloud environment” the control CDL 9.5.1 is used as treatment.

    Regarding the “mitigating controls to address risks imposed by customer-developed/supplied software in the cloud environment”, examples of evidence of implementation of this control are:

    • Network diagrams showing how computing environments are segregated
    • Firewall rules tables showing the configurations implemented in network devices to segregate the environments
    • Results of independent penetration tests covering the evaluation of this control

    • Control A.11.2.4

      First is important to note that ISO 27001 controls that are related to business continuity are those from section A.17. Controls from other sections focus on information security, not business continuity.  

      Control A.11.2.4 - Equipment maintenance applies to all equipment in the ISMS scope.

      Considering that, this control may be applied either to your laptops (where you will have to implement the control) or to the equipment provided to you by your supplier (e.g., WiFi router as part of the leased office where you work).

      For further information about applying this control, see:

Page 60-vs-13485 of 1127 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +