1. Hi there, we need to figure out whether or not we need ISO 27001 compliance. Some of the requirements our potential client has are as follows:
Audit review, plan, and information as to the audit standards they're using Network penetration testing Internal External Application penetration testing Vulnerability scanning for network, internal and external Logical network diagram, with data flow if possible with encryption levels. Security baseline stands? Hardening standards? Info on corporate RTO and RPO standards SDLC - tollgates Application testing? SAST, DAST, SCA, IAST, MAST? All policies, standards, and procedures documents, including Secure coding standards Risk assessment document Change management Conscia to provide a summary of our most recent Disaster Recovery (DR) audit Conscia to provide network and application layout diagram for our product.
2. What is a SIEM solution? What log review tools? Frequency of the log reviews. Is some of this covered in your toolkit?