Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Additions to Conformio
Please can you advise with regards to the following; In Conformio Risk Register I am able to add Risks – which are specific to a client If the Control is from an alternative Source for example ISO 31000, can this control be added to Control ID defined in SoA? If this is not possible how would I be able to manage All Risks in the organisation through Conformio if ISO 27001 is the only source of Controls? -
Information security policies
Can you help me with the following questions: 1- ISMS Security Objectives can be the same Control Objectives of ISO 27001:2013 or are they two different types of objectives? 2 - What is the difference between an information security policy and a recommended control or can they be the same? 3 - For the establishment of the ISMS Security Policies, can the textual requirements of ISO 27001:2013 be taken? 4 - For the establishment of the ISMS Security Policies, can the same statements of the Control Objectives of ISO 27001:2013 be taken? 5 - For the establishment of the ISMS Security Policies, can the same 114 statements of the ISO 27001:2013 Controls be taken? -
ISO 27001 templates
Hi, we have recently purchased your ISO templates and I am one of those responsible for working on them. In the document A.12.1_Security_Procedures_for_IT_Department_Cloud there is a section down the bottom with all the attachments which I am lost in because I could not find any templates on those attachments. These are: [Security features and level of expected service for network services] – electronic and paper form [Security features and level of expected service for cloud services] – electronic and paper form And I simply do not know where to start from the scratch [Erasure/destruction records] – in paper form [Decisions about the communication channels used for specific types of information, restrictions, forbidden activities] – electronic form Is there any template that could help please? -
Scope Document
I am currently working through the Scope document for the ISO27001 audit, and had a quick question regarding the scope document, but really all of them. There are many sections of the documents that describe the purpose of the document, and I was wondering if there is anything I NEED to delete off of the documents for the audit itself? Or am I okay to just fill in the information for my company, and leave the rest? -
Validation of the ISO certification
once a person is certified, how long is this certificate valid as an auditor? Is there a reference? for example if someone is certified auditor since 2015, is it still valid?
-
ISO 27001 Contact with Authorities
When looking at ISO27001, what are examples of relevant authorities under Annex A.6. As a US company, we may model our work around GDPR, but we don't necessarily have a legal requirement to follow it. With that said, are there any other authorities we would want to maintain contact with? -
Asset management
My question is about your asset inventory, I have doubts, I have a list, among the list there is equipment such as laptops and desktops, software, servers, licenses, records, the entire list is entered as assets, for example: I have approx 22 laptops, are they all entered individually as assets or do I only take it all as one? If you had an example of one made I would appreciate it to guide me. -
Non-conformities
Hi Dejan, I wanted to ask you about documented information for the ISO 27001 Clauses 4.2 and 4.4. For the Clause 4.2, our external auditor requires us to have a document containing all needs and expectation of interested parties. My understanding is that there’s no standard requirement to have this information gathered in one document. We have evidence of those requirements recorded in various other documents. Would you consider this a major nonconformity? Please see attached the document version we currently have in place, Compliance_Requirements.pdf. For the Clause 4.4., our external auditor requires us to have a documented ISMS Manual that includes references and implementation details for all Clauses 4 to 10. My understanding is that there’s no standard requirement for an ISMS Manual document. Would you consider this a major nonconformity? Please see attached the document version we currently have in place, ISMS_Manual.pdf. Thank you for your help. -
Mapping of requirements categories to ISO 27001 Compliance controls (Conformio)
We have a customer that requires that a quarterly Penetration test. We believe this requirement is related to Operation of information technology in the dropdown. So far so good, however we believe it also is related to ISO27001 control 18.2.3 Technical compliance review, however there is no corresponding option in the dropdown to choose a Compliance type of category for this requirement. Is this an omission? Or, to what dropdown item should we map this requirement so that it shows up in the appropriate area of the SoA?