Scribd Logo
Upload

Welcome to Scribd!

  • 76 views

    Iso La: Friday, September 27, 2019 9:28 PM

    Uploaded by

    Bugme 786
    1. ISO 27001 clause 6.1.3.d requires justifications for excluding any controls from Annex A in the Statement of Applicability. Controls can be excluded if they are not relevant to the organization's context, such as controls for software development if the organization does not perform that function. 2. The extent of documented information in an ISMS depends on factors like organizational size, process complexity, and staff competence. Documentation must follow a defined method and cover all activities to establish, implement, operate, monitor, review and improve information security. 3. Risk-based auditing assesses risks proactively to determine audit priorities and coverage levels based on translating business risks into the audit program,

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Iso La: Friday, September 27, 2019 9:28 PM

    Uploaded by

    Bugme 786
    76 views2 pages
    1. ISO 27001 clause 6.1.3.d requires justifications for excluding any controls from Annex A in the Statement of Applicability. Controls can be excluded if they are not relevant to the organization's context, such as controls for software development if the organization does not perform that function. 2. The extent of documented information in an ISMS depends on factors like organizational size, process complexity, and staff competence. Documentation must follow a defined method and cover all activities to establish, implement, operate, monitor, review and improve information security. 3. Risk-based auditing assesses risks proactively to determine audit priorities and coverage levels based on translating business risks into the audit program,

    Original Title

    ISO LA

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    1. ISO 27001 clause 6.1.3.d requires justifications for excluding any controls from Annex A in the Statement of Applicability. Controls can be excluded if they are not relevant to the organization's context, such as controls for software development if the organization does not perform that function. 2. The extent of documented information in an ISMS depends on factors like organizational size, process complexity, and staff competence. Documentation must follow a defined method and cover all activities to establish, implement, operate, monitor, review and improve information security. 3. Risk-based auditing assesses risks proactively to determine audit priorities and coverage levels based on translating business risks into the audit program,

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    76 views2 pages

    Iso La: Friday, September 27, 2019 9:28 PM

    Uploaded by

    Bugme 786
    1. ISO 27001 clause 6.1.3.d requires justifications for excluding any controls from Annex A in the Statement of Applicability. Controls can be excluded if they are not relevant to the organization's context, such as controls for software development if the organization does not perform that function. 2. The extent of documented information in an ISMS depends on factors like organizational size, process complexity, and staff competence. Documentation must follow a defined method and cover all activities to establish, implement, operate, monitor, review and improve information security. 3. Risk-based auditing assesses risks proactively to determine audit priorities and coverage levels based on translating business risks into the audit program,

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    You are on page 1of 2

    ISO LA

    Friday, September 27, 2019 9:28 PM

    1. ISO 27001 clause 6.1.3.d states that the Statement of Applicability must include “the justification for exclusions of control s from Annex A”
    Explain in short when and an exclusion can be done to an organisation
    Eg: A14 control can be excluded if the organisation is not into development process like such.....
    2. Principal factors that affect the extent of ISMS documented information.
    3. In the context of managing an audit programme, briefly explain the concept of risk-based auditing.
    4. What is audit objectives ?
    5. Example of ‘Equipment’ referred to in ISO 27001 and briefly describe how leaving the equipment unattended could affect inform ation security.
    6. What is evidence based approach?
    7. Why the auditor should be open minded ?
    8. what is meant by ‘top management which clause falls on top management ?
    9. Section 4 - 1st and 2nd is NC 3rd - Conformity

    ISO 27001 clause 6.1.3.d states that the Statement of Applicability must include “the justification for exclusions of control s from Annex A”
    Explain in short when and an exclusion can be done to an organization.

    Ans: The inclusion/exclusion of controls depends on the context of the organization and its ISMS requirements. Controls relat ed to cryptography are
    not applicable for the organizations which outsource the data hosting and storage mechanisms as the risk associated with data security is transferred
    to the third party. Similarly, for an organization which is not into software development (ex: a bank whose IT captive is out sourced) would not require
    controls related to section A.14 (Software development).

    Principal factors that affect the extent of ISMS documented information.


    ISMS is tightly bound with the organization leadership's commitment to establish, implement, operate, monitor, review and imp rove the information
    security. All activities must follow a method. Method can be arbitrary but the method must be well defined and documented. Th is varies from
    organization to organization based on:
    1. The size of the organization
    2. The complexity of the processes being involved
    3. The competence of the persons.

    In the context of managing an audit programme, briefly explain the concept of risk-based auditing.
    Risk based auditing gives an approach to see the risk as an opportunity to address information security pro -actively rather than reactive basis. An
    informed risk assessment followed by risk treatment plans along with the controls helps in mitigating the known risks and pro vides a platform to
    assess and accept the residual risk.

    Translating key risks from the business risk process into the basis of the audit programme

    Determining the level of assurance required

    Determining minimum acceptable audit coverage

    Determining audit priorities and developing the plan

    audit assessment

    What are audit objectives


    Every individual audit should be bound with an input (scope, criteria), process (audit) and come up with an audit output whic h should cater to the
    objectives of the management's ISMS. Audit objectives define what is to be accomplished by the individual audit. Audit object ives includes:
    1. Determination of the extent of conformity of the management system to be audited with respect to its audit criteria.
    2. Determination of the extent of conformity of activities, processes, products with the requirements and procedures of manageme nt system
    3. Evaluation of the capability of the management system to ensure compliance with legal, contractual, regulatory and standard r equirements.
    4. Evalulation of effectiveness of management system in meeting its specified objectives.
    5. Identification of areas for potential improvement of management system.

    Example of ‘Equipment’ referred to in ISO 27001 and briefly describe how leaving the equipment unattended could affect inform ation security.
    An equipment in ISMS is termed as a medium through which information can be created, transmitted, stored or destroyed. Leavin g an equipment is a
    risk which could result in an eventuality of information loss. For ex: fire alarm hammer being not sealed in data center room could lead to destruction
    of other valuable assets like servers and storage devices by an intruder.

    Tell me about yourself Page 1


    What is evidence based approach?
    Evidence based audit approach is a rational method for reaching reliable and reproducible audit conclusions in a systematic w ay. Audit findings and
    audit conclusions should be based on audit evidences that are verifiable. Evidence based approach also ensures that auditor a nd auditee come to an
    agreement on the audit findings basis the evidence. evidence provides confidence to the auditor and establishes the risk with the auditee.

    Why the auditor should be open minded ?


    Auditor should be open minded so as to enable him/her self to consider alternative ideas and perspectives. There may be best practices implemented
    in the organization which the auditor can emulate and suggest as areas of improvement while auditing other clients.

    what is meant by ‘top management which clause falls on top management ?


    Top management is the representation of the organization that commits to establish, implement, operate, monitor, review and i mprove ISMS. Top
    management takes the responsibility of defining the scope of the audit, preparing the ISMS manual, policy and objectives of I SMS. They also empowers
    and ensures that right competence, awareness and distribution of the knowledge related to ISMS is dissimated to the relevant persons in the
    organization. Clause 5.1 covers top management.

    Tell me about yourself Page 2

    You might also like

    pFad - Phonifier reborn

    Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

    Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


    Alternative Proxies:

    Alternative Proxy

    pFad Proxy

    pFad v3 Proxy

    pFad v4 Proxy