Question:

For each of the situations below:-

(a) Mention most relevant clause of ISO 27001:2005

(b) Whether the practice followed in the organization is appropriate and implemented as per the requirement of relevant control of ISO 27001. If not, indicate the deviation

S1 An organization has planned to take third party service for managing its enterprise resource planning software. It also expects that the contracted supplier shall attend the problem within an hour the complaint is lodged to the party. How the organization ensures its requirements are taken care of by the third party and which control of ISO 27001 is applicable?

S2 A large organization has outsourced the data centre activities to a well known supplier. All the possible requirements as identified in terms of SLA and non-disclosure agreement as required, have been entered in the contract as part of ISMS implementation in the organization. The outsourced supplier is also responsible to change the system data and only intimation is given to the parent organization. No control is available with the parent organization before or during change.

S3 The organization's policy calls for only one user with super user right. The Network Administrator went on study leave for 1 yr. and the Network Supervisor was made an adhoc administrator and allotted the super user rights. After joining of the Network Administrator from leave, both of them continued with super user rights.

S4 An organization wants to dispose of 100 old Pentium PC's and to get new model P IV 2.6 GHz in exchange. What steps should it take to meet the requirement of ISO 27001: 2005?