Not logged in - Login
View History

Frequently Asked Questions

Q. What level of detail do I need to go to within the resources for ISO 27001?

A. Specific named points only need to be identified if you believe the system/product/application etc is at individual risk. e.g. Grouping items such as 'Laptops' across a business makes sense instead of listing each model and brand. However, if certain employees/teams/departments have more sensitive data on their laptops, then these can be labeled as 'Sensitive Laptops'. This decision is focusing on what information could be different across the two laptops and therefore require a different approach with Information security.

Q. What is the purpose of the relationship within the resources?

A. Relationships are put in to help you address what resources could be affected by impact to other resources. Linking these helps you bench-mark what level linked resources should be measured on. Referred to as dependants and dependencies.

Q. Do I need to record every software application that we use within my organisation within the resources to meet the requirements of ISO 27001?

A. No, these can be grouped into usability or even not listed. What you need to consider is do they have a specific/individually identifiable practical use that could have its own risks. e.g. Microsoft work and PowerPoint probably won’t need to be included, however legacy products should be included if they are out of support from their provider

Q. My control recommendations don’t seem high enough?

A. Slightly improving or maintaining a level is a better approach than aiming for a level you cannot deliver on.

Q. When should I address the control levels?

A. Controls should be addressed once assets/resources and their relationships have been established with their CIA completed

Q. Can Resources be added at a later date?

A. Yes, these can be added after the initial setup as and when they are identified. Remember that when adding new resources to consider their relationships to other resources.

Q. What scale should I measure controls on?

A. in CMA setup under Maturity Models you will find the default scale and scores provided.

Q. My CIA scores are not updating even though they are set up to inherit from another resource?

A. If you have already scored a resource individually, the inherited values will not overwrite the existing input.

Q. How do I mark someone as an owner without having to give them access to Abriska?

A. Creating a new contact allows Abriska users to assign members of staff to certain roles and to email reports to users as required. If a user name is not created the user will not be able to login.