Hi all, I have couple of questions: Has anyone worked on a Non-conformity report? Do you have any approach on how to perform ISO test, Sampling methdology,...
Dear Jesus, Please tell whether you are talking about raising a Non-Conformity (NC) or describing action against a rasied NC? If you're thinking of raising an...
Kashif thank you very much for taking your time to response to my e-mail. I will clarify myself in my questions: Has anyone worked on a Non-conformity report? ...
Hi All, Till these days I have been a reader of this group, but never wrote to this group on any of the issues or problems. Sorry for that ... you should be...
Hi Gijo, ... My opinion is that effectiveness can't be measured as some information is alwasy missing. Let's say a control say that no equipment must be ...
Does anyone has detail information about the Six Stages of the ISO 27001 preparation process? or tell me where can I find such information. Thanks, Jesus...
Hello All, I have a question regarding the ISO-27701 assessment. If during the assessment we as auditor identify an un-conformity, do we have to provide...
Dear Jesus, An auditor shouldn't provide any solution, only note what has been observed and determine compliance or non-compliance. This is for two reasons: 1)...
Hi Jesus, It actually depends how you are conducting an audit (I mean as an Internal Auditor or as a consultant). If you are auditing the process as an...
Arindam.Banerjee
Arindam.Banerjee@...
Aug 11, 2006 7:12 am
105
Recommendations should not be provided.. How can an auditor take the same role as a consultant and then come back in the next audit and verify his own...
Hi I had the "chance" to read both books... I think they really do not reflect the "core or spirit" of what one could need for ISO 27001... Just talking about...
Yes Arindam, your opinion is correct. As an external auditor during 3rd party audit you should not give any solution regarding your non conformity, although...
It also depends are you acting as an assessment or an audit? If just an assessment I highly recommend providing a solution, thats what you are getting...
Hi all. I am new to this list, so thought I would introduce myself. I manage Information Services for a State Government Agency in Sydney,Australia. Our State...
Since you've passed one audit, you have a foundation for doing a gap analysis for your other units. I would pick the next area you'd like to certify, and do a...
Dear All, I would like to have some insight on how to conduct audit at the project level (in software development and BPO industry). As most of the controls of...
Arindam.Banerjee
Arindam.Banerjee@...
Aug 14, 2006 6:12 am
112
"Adequate back-up facilities should be provided to ensure that all essential information and software can be recovered following a disaster or media failure"...
Think Disaster Recovery and Business Continuity. A Hot or Cold site that is physically separate from your production site. Thanks, Kim Sassaman, CISSP ...
It just tells you that you should have a back-up mechanism in place, for speedy and effective recovery at the time of disaster. The back-up should never be...
Arindam.Banerjee
Arindam.Banerjee@...
Aug 25, 2006 6:43 pm
115
Dear Friends, Our external auditors have put an observation that our ISMS Objectives need to be re-defined to be SMART, as presently they are too generalistic....
Dear Sarat, ... I think you will need ISM3 (www.ism3.com) to enhance your ISO27001 ISMS. ... A security objectices / security targets example from ISM3 is: ...
refrence to your query, the opinion is as below: S - Specific--- means is to identify the key/target area for implemenatation of ISO M - Measurable----means is...
The latest issue has just arrived. For anyone who doesn't receive it, the full copy is below: ______________________________________________________ THE ISO...
Hi all I work for a commercial company and the head of Info Sec is an ex- military man. The company wants to achieve certification in the standard. Most of the...
Hi JP, It's a common dillema. The head of Info Sec must understand that there are no mandatory controls. However, there are baselines. I suggest that you...
Hi, I'm an ISO 27001:2005 certified LA and LI ....Well if you ask me, there is a need to conduct Risk Assessment before since it will throw out the gap between...
Hi, Having done eight implementations for clients, both are right and otherwise. My experience with Auditors have been is that they are very cautious about the...
Hi, A week ago, I finished my eight implementation; whichwas certified. So far, I have conducted more than a dozen implementation courses; on behalf of BSI...
Hi JP, I think in corporate we are all working in a commercial concern. Anyway, if you look at the methodology of ISMS or ISO 27001,the methodology is -...
I'm in complete agreement with Dhananjay. It make sense to understand the applicability of Control Objectives before in order to ensure that Objectives are...
Having problems with message search?
Fill out this form to ensure your group is one of the first to be migrated to the new message search system.
