IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [iso27001]

The specification for information security management systems, developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system."

81 questions
126
votes
10 answers

Does an ISO27001 audit require users to reveal their passwords?

My company's system administrator is asking for our passwords for an ISO audit and my VP IT operations support says it's mandatory for ISMS (ISO27001). Can someone confirm if this is true?
v_sukt
  • 1,322
  • 2
  • 7
  • 12
25
votes
6 answers

How to start with an Information Security Program?

I am a software tester, InfoSec is mostly tangential to my job, and people only ask me questions about InfoSec because I am not afraid to use Google or Stack Exchange when I don't know something. (which is most of the time) Our US operations manager…
Amedee Van Gasse
  • 369
  • 3
  • 10
19
votes
3 answers

ISO27001 and Linux/Ubuntu

My company has an ISO 27001 certification. They provided me a new laptop with Windows 8 OS in it. I asked if I can have a Linux/Ubuntu OS installed, they said that it is not possible due to the ISO 27001 standards. Is it true or do the technical…
Vivek Aditya
  • 293
  • 3
  • 8
14
votes
4 answers

Why do we trust organizations that certificate ISO 27001?

I've been asked why do we trust organizations that certifies ISO 27001? From where did they get the authority and recognition to be able to certify ISO 27001? For example, I can start a certification business and certify that a company is ISO 27001…
The Illusive Man
  • 10,487
  • 16
  • 56
  • 88
13
votes
1 answer

Does ISO 27001 allow a company to use FTP?

On a project I had to use unsecured FTP to connect to the hosting provider - not SFTP, not FTPS. The hosting provider proudly claims it's ISO 27001 certified. Somehow this all seemed quite wrong to me. Is it possible that a company gets ISO 27001…
the
  • 1,841
  • 2
  • 16
  • 33
11
votes
4 answers

What is a similar security standard to ISO 27001 with more focus on IT security?

*Edit - Replies so far are re-stating what ISO 27K is and is not. We are aware of this, however the perception of ISO 27K is different. We do not have infosec professionals so we just want to know what other options are out there regardless of…
user2514224
  • 119
  • 1
  • 5
10
votes
4 answers

What is meant by "Use of privileged utility programs" in the ISO27001:2013 standard?

The ISO27001:2013 standard (and ISO27002:2013 guidance) requires that use of "utility programs" that might be capable of overriding system and application controls should be restricted and controlled (A.9.4.4). I've looked, for example, at…
david-ocallaghan
  • 193
  • 1
  • 1
  • 6
10
votes
2 answers

Password expiration and compliance (ISO, NIST, PCI, etc)

I'm quite confused about what is the current state in 2017 for the idea of password expiration/rotation especially related to security certifications as ISO, PCI, etc. I keep reading that password expiration is not very useful, but I've found…
Jacob
  • 233
  • 1
  • 2
  • 7
6
votes
2 answers

ISO 27001:2013 certification questions

Advice/opinion appreciated. Ultimately, our company would like to achieve ISO27001:2013 certification, but that is some way off. In the interim, we want to be able to get to the point whereby we can "attest" to compliance (similar to the PCI DSS…
Garreth McDaid
  • 161
  • 2
5
votes
1 answer

Can OSSTMM RAVs be the base for a risk assessment methodology compliant with the new ISO 27001:2013 and ISO 31000?

The calculation of RAVs in OSSTMM seem very useful as a security metric but, can they be the base for a risk assessment methodology compliant with the new ISO 27001:2013 and ISO 31000? ISO 27001:2013 risk assessment requirements are aligned with ISO…
kinunt
  • 2,759
  • 2
  • 23
  • 30
4
votes
2 answers

Question about ISO 27001:2013 scope definition

My company would like to be ISO 27001 certified, so we have started a preliminary study and are now working on a draft ISMS scope in accordance with the standard (context of the company, interested parties, boundaries ...). Several things remains…
Christophe.T
  • 41
  • 2
4
votes
1 answer

How to communicate how secure your system is to your employer's clients

Businesses have to collect information about their clients, and clients often want assurance that their information is secure. What is the accepted way to concisely and clearly communicate how secure the systems are that are transmitting and storing…
browly
  • 2,100
  • 2
  • 12
  • 21
4
votes
1 answer

Does ISO 27000 certification increase the risk of being attacked?

I asked my client (a bank) why they don't certify themselves against ISO 27000 standards. The answer was that if they certified, it would increase the risk of being attacked. Does that make any sense? Can hackers be aware that some particular…
ZygD
  • 247
  • 1
  • 2
  • 10
4
votes
2 answers

Is the ISO/IEC 27001 standard incompatible with free/open source software?

The ISO/IEC 27000-series of standards lay out how to create and manage an information security management system (ISMS). The ISO/IEC 27001 document provides the main body of the standard and is augmented by a number of sector-specific guideline…
08915bfe02
  • 179
  • 5
4
votes
1 answer

Development of ISO27001 ISMS before production

I would like to ask if it is efficient and correct to design the ISO27001 ISMS for a company/organisation that is not yet in fully operational mode - e.g. their online architecture of their system is not finalised yet and undergoes several changes…
Hashed_Then_Encrypted
  • 83
  • 5
1
2 3 4 5 6