Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Access Control Policy - Managing Records
Hi All,
I'm drafting the Access Control Policy in Conformio.
At chapter "4. Managing records kept on the basis of this document" it asks for the management of 2 types of Records.
one is quite clear, it demands the management of an Access Control Review register.
The second one instead is not totally clear to me, what I don't fully understand is if we need to keep a register for only tracking the privileges (access rights granted to roles or users that usually wouldn't have them) or if we need to track every single access given to all the employees on all the used applications.
Can someone suggest what should be tracked?
Thanks in advance
Best Regards
Igor
-
Access Control Policy - Map Job titles to User Profiles
I am drafting the Access Control Policy in conformio.
In the section 3.2, I initially have drafted the User profiles, Applications and access rights for each SW that we are using.
Then I need to map the User Profiles to the job Titles.
The question is: When mapping the Support Administrator profile, can I simply map to the Job title "mid management" or do I need to specify Support Mid Management?
What I mean is that it is obvious that the Support software administration will never be assigned to the HR Mid management, but do we need to be specific when drafting the mapping between a User Profile and a Job Title?
Will an auditor accept a high level definition?Thanks
Best Regards
Igor
-
Access Control Policy
Hi All,
I am drafting the Access Control Policy in Conformio.
In the document there is a section in which I need to map the job titles to the user profiles.
My issue is that for some of the applications that we are using there are a set of pre-exisintg user profiles like for example Light Agent or Standard staff for which we do not have any users assigned to them.
In this case should I simply not list them in the Definition of User Profiles or should I list them to state their existence but when doing the mapping with the job titles say something like "No currently Job Title assigned to the profile"
Thanks in advance.
Best Regards
Igor
-
Project Plan
Do I have to put phone numbers and email address into the project plan I have left them blank and it is not allowing me to move forward?? -
Template for ISO27001 Audit program
I just bought the termplate for Internal audit program, ISO27001 and I am wondering about the details. The template is very simple and doesn't really show how to ensure that the whole standard incl the security controls have been reviewed in a three year period which I understand is a requirement from our certification body. The template only includes detailing the areas (departments and processes for example) and other details such as methods, Criterias (which I understand would be iso27001 then) etc.
Isn't it also necessary to show in the program that we have a plan to ensure full review of the standard? And if so, how would you suggest this is inserted into the IA Program, using the Advisera template?
-
How comprehensive and specific should we describe the implementation methods in SoA?
Hi, I still struggle with the SoA. I know it's not mandatory to describe the implementation methods which is practical if I don't yet know what specific measures we want to implement. But in the next step (risk treatment plan), I have to provide information on human, financial and technological resources. This is only possible if we know fairly precisely how implementation is to take place.
Isn't it better to describe the implementation in more detail? But what does that look like? For example, we have a project for log obfuscating that has been started but is not yet finished. It fits in with control 8.11 Data Masking. Do we then mention the project in Implementation at 8.11?
What do we do with the controls that we don't yet know how to implement but think are important? Only mention a policy that we will write, or a task that we need to re-work an existing policy?
What do we do if we later realize that we need to implement technical measures? -
Non-mandatory documents
I'm preparing a checklist for ISO 22301 and I found the list of non-mandatory documents on your website. The list is a helpful resource, and I was hoping to gain some additional information about its source. Specifically, I am curious if the list of non-mandatory documents is directly referenced within the ISO 22301 standard itself, or if it represents a compilation of best practices or recommendations from another source.
-
What do we do when our existing policies do not match Conformio's policies?
Some of the policies that we have to create according to the Statement of Applicability already exist as pages in our company wiki. The Conformio policies and our policies will not be the same, I rather expect ours to contain more detailed rules. Because we are stil working at the SoA, I cannot check what exactly is written in the policies provided by Advisera.
I know that there is the possibility to add custom paragraphs in the Conformio policies, but no custom headings can be added.
What do we do if our guidelines and Conformio's do not match? -
Teleworking Policy and IT Security Policy
Considering that the rules specified in the IT Security Plicy are the same as the ones n case of teleworking and that all our applicatins and SaaS is in the cloud, could we avoid to write a Telewroking Policy and state that the Teleworking is regulated by the IT Security Policy?
Thanks
-
Risk treatment plan
Is it necessary to implement a treatment plan for all identified risks, or is it only necessary to apply a treatment plan if a medium or high-risk is detected?I am asking this question because in my risk assessment, all the residual risks are low, and according to my policy, only medium and high risks should receive a risk treatment plan. I want to know if it's appropriate to leave low risks without a risk treatment plan or if I should create one despite all risks being low.