ISO 27001 EXAM-NEW UPDATED
What is the scope of the certification?
The delivery and development of the Stravito Service
What happens during the Stage 1 audit?
a review to ensure that all necessary documents, policies and processes exist
What happens during the second audit?
Ensure we work by the policies in place. Done through interviews and reviewal
of "proof" such as audit logs and information about the configuration of our
technical infrastructure.
In one sentence what is the scope of the current ISMS?
The Stravito platform and the development of it.
What is your information security policy?
Our Information Security Handbook & Policy targets all employees at
Stravito. Except Incident management processes and Risk management
processes
How is security awareness performed and measured?
Annual security awareness training for all employees AND targeted training for
certain teams (Tech, GM)
Is leadership committed to Information Security?
YES ! InfoSec is an essential part of Stravito SaaS platform. Our customers rely
on us to keep their confidential information safe, which we are contractually
obligated to.
What are the long term goals and objectives with Information Security?
To ensure that we build a product that is both secure and trustworthy. Security
is a cornerstone of our business in order for us to to keep existing customers
and gain new customers. (add more)
, How do GM review the efficiency of the ISMS?
Through a management review process. - - Head of Security keeps GM
informed about ongoing activities and risks, with a feedback loop for
continuous improvement of the ISMS. We also set quarterly OKR's reflecting
the ongoing activities.
Could you explain the three lines of defense model?
the 1st line of defense managers -> enough resources to work with risk
management and infosec and employees -> day to day work at an operational
level, i.e. identifying risk and implementing security controls
2nd line of defense consists of organisational functions supporting general
management in creating policies, processes and procedures and supporting the
rest of the organisation with expert knowledge and training.
the 3rd line of defense consists of audit functions ensuring that the 2nd line of
defense does what they are assigned to do
What is the CEO's role in the ISMS?
the CEO is the owner of the information security policy
the ceo delegates the responsibility for security-related documentation to the
head of security.
all policy changes must be approved and signed by the head of security.
the ceo is also accountable for processing of personal data where stravito is
the data processor..
What are the interested parties of stravito's ISMS?
ceo
general management,
head of security
customers (of the stravito cloud service),
data protection agencies
What is the scope of the certification?
The delivery and development of the Stravito Service
What happens during the Stage 1 audit?
a review to ensure that all necessary documents, policies and processes exist
What happens during the second audit?
Ensure we work by the policies in place. Done through interviews and reviewal
of "proof" such as audit logs and information about the configuration of our
technical infrastructure.
In one sentence what is the scope of the current ISMS?
The Stravito platform and the development of it.
What is your information security policy?
Our Information Security Handbook & Policy targets all employees at
Stravito. Except Incident management processes and Risk management
processes
How is security awareness performed and measured?
Annual security awareness training for all employees AND targeted training for
certain teams (Tech, GM)
Is leadership committed to Information Security?
YES ! InfoSec is an essential part of Stravito SaaS platform. Our customers rely
on us to keep their confidential information safe, which we are contractually
obligated to.
What are the long term goals and objectives with Information Security?
To ensure that we build a product that is both secure and trustworthy. Security
is a cornerstone of our business in order for us to to keep existing customers
and gain new customers. (add more)
, How do GM review the efficiency of the ISMS?
Through a management review process. - - Head of Security keeps GM
informed about ongoing activities and risks, with a feedback loop for
continuous improvement of the ISMS. We also set quarterly OKR's reflecting
the ongoing activities.
Could you explain the three lines of defense model?
the 1st line of defense managers -> enough resources to work with risk
management and infosec and employees -> day to day work at an operational
level, i.e. identifying risk and implementing security controls
2nd line of defense consists of organisational functions supporting general
management in creating policies, processes and procedures and supporting the
rest of the organisation with expert knowledge and training.
the 3rd line of defense consists of audit functions ensuring that the 2nd line of
defense does what they are assigned to do
What is the CEO's role in the ISMS?
the CEO is the owner of the information security policy
the ceo delegates the responsibility for security-related documentation to the
head of security.
all policy changes must be approved and signed by the head of security.
the ceo is also accountable for processing of personal data where stravito is
the data processor..
What are the interested parties of stravito's ISMS?
ceo
general management,
head of security
customers (of the stravito cloud service),
data protection agencies
