Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Reviewing incidents in Conformio Management Review
We are trying to use the Management Review process implemented in Conformio, to maintain our ISO 27001 compliance project. One of the items in MR is reviewing the recent incidents. The incident records in the Incident Register do have an attribute to indicate their review status, but I could not figure out how to toggle that to Reviewed, after we perform the actual incident review. Please, can someone advise on the correct procedure?
-
UPDATE ADDRESS
If you plan to move the department of the system to another address then have to update what records? Note: Only use the network of the new address, the rest is managed according to the old system. Thanks! -
Secure Development policy
There is a paragraph in the Secure development policy which states: In addition to the risk assessment performed according to the Risk Assessment and Risk Treatment Methodology, Head of RD must perform the annual assessment of the following: the risks related to unauthorized access to the development environment the risks related to unauthorized changes to the development environment technical vulnerabilities of the IT systems used in the organization the risks a new technology might bring if used in the organization the risk a new development methodology and/or programming language might bring if used in the organization the risks related to licensing requirements The question is, is this assessment to be done in the Risk Register or is it an additional document that needs to be drafted by the Head of R&D? Thanks -
Confidentiality Statement
We are drafting the Confidentiality Statement through Conformio. To do this we have downloaded a template which should be edited based on the specific clauses are required in the company. This document should involve both employees and external parties. The issue is that we do not have a single document for all. For example for the employees the confidentiality statements are added in the employement letter which also references the employee handbook which has additional clauses, while for third parties there is a specific NDA. So the question is, how am I supposed to say all this since I have a single template? Best Regards -
Edit Risk register
Hi there We want to edit the Impact and Likelihood fields for certain risks on the Risk Register. How do we do this? thank you. -
Access Control Policy - Managing Records
Hi All,
I'm drafting the Access Control Policy in Conformio.
At chapter "4. Managing records kept on the basis of this document" it asks for the management of 2 types of Records.
one is quite clear, it demands the management of an Access Control Review register.
The second one instead is not totally clear to me, what I don't fully understand is if we need to keep a register for only tracking the privileges (access rights granted to roles or users that usually wouldn't have them) or if we need to track every single access given to all the employees on all the used applications.
Can someone suggest what should be tracked?
Thanks in advance
Best Regards
Igor
-
Access Control Policy - Map Job titles to User Profiles
I am drafting the Access Control Policy in conformio.
In the section 3.2, I initially have drafted the User profiles, Applications and access rights for each SW that we are using.
Then I need to map the User Profiles to the job Titles.
The question is: When mapping the Support Administrator profile, can I simply map to the Job title "mid management" or do I need to specify Support Mid Management?
What I mean is that it is obvious that the Support software administration will never be assigned to the HR Mid management, but do we need to be specific when drafting the mapping between a User Profile and a Job Title?
Will an auditor accept a high level definition?Thanks
Best Regards
Igor
-
Access Control Policy
Hi All,
I am drafting the Access Control Policy in Conformio.
In the document there is a section in which I need to map the job titles to the user profiles.
My issue is that for some of the applications that we are using there are a set of pre-exisintg user profiles like for example Light Agent or Standard staff for which we do not have any users assigned to them.
In this case should I simply not list them in the Definition of User Profiles or should I list them to state their existence but when doing the mapping with the job titles say something like "No currently Job Title assigned to the profile"
Thanks in advance.
Best Regards
Igor
-
Project Plan
Do I have to put phone numbers and email address into the project plan I have left them blank and it is not allowing me to move forward?? -
Template for ISO27001 Audit program
I just bought the termplate for Internal audit program, ISO27001 and I am wondering about the details. The template is very simple and doesn't really show how to ensure that the whole standard incl the security controls have been reviewed in a three year period which I understand is a requirement from our certification body. The template only includes detailing the areas (departments and processes for example) and other details such as methods, Criterias (which I understand would be iso27001 then) etc.
Isn't it also necessary to show in the program that we have a plan to ensure full review of the standard? And if so, how would you suggest this is inserted into the IA Program, using the Advisera template?