Questions to top management
Assign topic to the user
Or the types of questions to direct to CISO, CIO, or CTO to identify the types of technologies they have implemented to mitigate future cyberattacks.
Answer:
First it is important to understand that in general the C-level will not think directly about risk (neither they have to), so you have to make questions about their concerns regarding the business objectives (which are them, which are the most important, and why) and how information can help achieve these objectives, or prevent these of being achieved. From these answers you will be able to identify their risk posture, the most relevant risks and what you can do to treat them.
Another important issue is that in general these questions are as ked by the responsible for the information security (i.e., the CISO or similar role).
These articles will provide you further explanation about requirements identification:
- Top management perspective of information security implementation https://advisera.com/27001academy/blog/2012/12/04/top-management-perspective-of-information-security-implementation/
- Management’s view of information security https://advisera.com/27001academy/blog/2011/05/16/managements-view-of-information-security/
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
Comment as guest or Sign in
Jan 09, 2019