Eric It is possible that 14.1 is not applicable and thus you can take it as an excliusion. But it is not possible that yoou don't want to implement it so you...
Hi Zahra Pen Test is not mandatory, but VA is mandatory. Now it depends upon the VA report whether PT is required or not. Depending upon the VA report ...
The fact that controls can be excluded mean they are NOT mandatory. Hence, NOT required. I don't want to implement BCP. I have something else better. :) ...
I do not agree with DJ. A.14 cannot be excluded while implementing ISMS. Yes, we do not talk aout BCP connected with entire business. But in ISMS when we...
You need not identify and mention 'potential non conformities' with examples in the Procedure. The standard expect the management to document, in case you...
Sigh. ISO 27001 is clear on this matter. Controls CAN be excluded. The fact that controls CAN be excluded means that NO control is required as long as the...
Management will NOT use the preventive action procedure as much as the lower mammals in the organization. If examples, are not given, people would be left...
Hi all, I was also under the impression that BCP can be neglected. But the fact is it is one of the vital control when it comes to ISMS. How can the...
To all, As a matter of general rule, exclusions to controls is possible only in control domains A.9, A.10, A.11. and A.12. Exception to this rule is few and...
Please don't say things that are not true Aleboor. What is the basis for your general rule? Which part of the standard says this? You said "As a matter of...
"Considered" is different from "required";. ________________________________ From: Siddi Rizwaan Damad <siddirizwaan@...> To: iso-27001@yahoogroups.com ...
Glad to know someone is one the right page. Cheers DJ. ________________________________ From: Deejay N <djisms@...> To: iso-27001@yahoogroups.com Sent:...
Just a thought.While I totally agree to the SoA point of view, there are some regulations that require that companies have Minimum Baseline standards that...
Ram, While I can appreciate your thinking as an ISO of a Bank... I would like to draw your attention to the actual question "If BCP is optional" ... the...
Dear Infosec People, Â All my life, I was a part of ISO 9001 team, but recently my organization has entrusted me with an additional responsibility of ISO...
Hi Kumaraj, First of all, I'm not sure whether you are in a conflict of interest if you are part of the ISMS maintenance, and at the same time internal...
 Dear Mohan, Knowledge of 9K is a good asset to understand 27K. If you want to understand ISMS auditing, please read and digest the contents of ISO 27001...
Usually people involved in ISMS implementation are from IT background. In the drive of implementing controls, we tend to forget that BCP is not confined to IT...
Dear Friends, It seems you are not interested in helping this old man. At least, let me know what to be audited in Software Projects? Many of these projects...
Dear Mohan, You need to audit the risk life cycle first. Don't audit the controls without first understanding the risks of the organization. Have you attended...
Hi New to the forum, hope you can all help! I'm part of a small business (very small, 3 staff), currently looking at getting ISO certified, and I've been...
Hi First sugestion is Attend a Lead Auditor or Implementation course for ISO 27001. Thats the best way to understand the method. You shall follow the following...
Hi rufina, iam Hari Prasad ,new member to this group. i recently visited old messages & i find your below message is interesting. if possible Please post your...
Thanks! I've got as far as listing assets and threats to assets, however this brings me back to what the scope should be. As I mentioned, we're a small IT...
Hi Thanks for the pointers! Is it absolutely necessary to have attended a course? Obviously we'll have to do an internal audit further down the process, and I...
Hi Sam, The person who will do the internal ISMS audit must be knowledgeable in: 1 how to do an internal audit according to ISO 19011 2 the requirements of...
Dear Sam, Good day. You should write the scope first. Yes you can limit the scope to the processes and assets within the online backup part of the business....
