Sunday 17 December 2023

Categorised plans

Prompted by a thread on the ISO27k Forum, I've been contemplating the categorisation planning process I mentioned in yesterday's blog.

image.png

This is just a rough diagram to illustrate the concept.  Very rough.  "Rough as" as we say down here on the Far Side.
Read more »
No comments:

Saturday 16 December 2023

Assessing upstream supply chain information risks


Yesterday, someone sought guidance from the ISO27k Forum on categorising vendors by risk. Here's my coffee-fueled early-morning response, lightly edited for this blog.


Risk assessment criteria

In the context of an ISO 27001 Information Security Management System, information risk in the upstream supply chain/network, viewed from the customer organisation's business perspective, is the primary concern in relation to vendors. 

Breaking that down, the kinds of factors that may affect the information risk levels include:
Read more »
No comments:
Subscribe to: Posts (Atom)