Conformio - Company Settings and Users
Assign topic to the user
1 - When completing the Risk Register are we choosing the Assets / Threats and Vulnerabilities without any controls in place? We are then to add existing controls into the Treatment Plan?
Your understanding is partially correct. Existing controls are identified during the risk treatment step (the same way they are identified for non-implemented controls) and identified as implemented in the Statement of Applicability, so they are not referred to in the Risk Treatment Plan.
2 - Also, in terms of an asset register for 27001 Compliance, is the asset list deemed sufficient on Conformio or should we have an asset list that details each asset a user has along with an asset tag?
User A – Mobile001, Laptop001, Tablet001
User B – Mobile002
Etc
etc
For ISO 27001 compliance purposes the asset register provider by Conformio is sufficient. In general, asset control in terms of individual users is required for IT operations. For information security operations it is enough to know which role is responsible for the asset (e.g., employee, manager, developer, etc.).
This article will provide you a further explanation about the asset register:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
I am not sure where you’re getting your information, but good topic. I needs to spend some time learning more or understanding more.
Thanks for magnificent info I was looking for this info for my mission.
Comment as guest or Sign in
Jul 28, 2022