Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Standard Forms
Where in Conformio can I find templates? I am looking for a template to address the requirements in 27002 12.1.2. -
Conformio - Managing Records kept on the basis of any document
Hello All, We notice that there is no way for us to fully editing the Controls for record protection under managing records kept of any document generated in Conformio. Currently, it only shows and limits to a specific personal and we need to remove that. Please find example below:
The following word only cannot be removed and as you can also notice, it limits to a specific personal rather than a group of personnel which is what we aim for really.
-
Incident Response Plan
Es posible utilizar parte de la documentación generada para la ISO 45001 (Seguridad y salud en el trabajo) para referenciar ciertos puntos que se topan en el doc "17.4.1_Apendice_1_Plan de respuesta incidentes" de la ISO 27001" literal 4.2 "Control y erradicación de un incidente". It is possible to use part of the documentation generated for ISO 45001 (Safety and health at work) to refer to certain points that are found in the doc "17.4.1_Appendix_1_Incident response plan" of ISO 27001" literal 4.2 "Control and eradication of an incident". -
Advisera ISO toolkit ISO27017 ISO27018
Within each document, how do we know which sections or paragraphs or sentences that are designated for 27017/18? Are they marked specifically or customers/readers have to manually find them? -
ISMS scope
Hope you are doing well. This is ***, one of the participants during the yesterday’s webinar - ISO 27001/ISO 22301: The certification process. At this point I would like to express my great thanks and appreciation to you, because without your free ISO27001 courses and free webinars I wouldn't be right now in my company's ISO27001 project team. The reason I'm writing to you now is because I'd like to hear your input on a discussion I had just 2 days during our ISO 27001 Implementation meeting here in the company where I work. Based on the defined ISMS scope , primarily we need to prepare for now, only the IT Department for ISO27001 certification. (Afterwards we shall continue with other departments, currently the urgent need is the IT, where I ' m also a member of as a system/network/security engineer). The project team consists of 6 people. Yesterday during the discussion, all other 5 members were insisting that there is no need to cover any section from ISO 27001 – Annex A.7: Human Resource Security, while me, from the other hand I was trying to convince them that yes, definitely we need to cover this control not only because is part of the Annex A but because is directly related with IT areas as well. It was impossible to convince them, they still insist that the ISMS scope and the certification goal is the IT, not the HR. And now I'm wondering, indeed they are right and I'm wrong? I'm really confused and for sure i do not want to make any bad impression just from the very first beginnings. Your insights are valuable, and your assistance/guidance as always are greatly meaningful to me dear Dejan. Thank you. -
ISO 27001 Enquiry
Consider the following Scenario, Organization A engages a vendor for its SAAS services to manage System A. System A is not an on premise SAAS system and is managed by the vendor which is currently ISO 27001 certified. If Organization A wishes to obtain ISO 27001 certification for System A, will Organization A be exempt from certain clauses in the ISO 27001 standard that are managed by the vendor? For example, physical security and encryption controls. In summary, I would like to gain a better understanding on how to go about preparing my organization for ISO certification for systems which are off premise SAAS solutions managed by an ISO certified third party vendor. -
Questions about Conformio
1 - Of the items listed as mandatory for 27001, do they all have to be in place at stage 1 or is it okay to have a select listing completed and others WIP? 2 - Also, could you give me an indication of the costs involved with Conformio please? Does Conformio only cover 27001 or does it cover other standards as well? I am currently responsible for the compliance and regulatory affairs of 2 companies whom I have taken through ISO13485, and I manage and maintain both their QMS arrangements, audits, NC’s, suppliers etc. 3 - I am currently seeking to add 27001 certification for both and have a project team in place to identify where the existing QMS requires additional items to be ready for 27001 – currently doing risk threat analysis and controls id to enable completion Statement of Applicability – I will be using the same compliance company as we do for 13485 and have provisionally booked stage 1 for September – additionally, one business creates non-medical digital assets in addition to medical devices, so am seeking 9001 there also. Pretty full on as you can imagine. BSI are constantly mailing me pushing their Compliance navigator tool, but I think we are too small (70 people between both) and would use too little to justify the costs they’re quoting – is Conformio a similar tool? 4 - Also, would you have or have knowledge of anywhere that I might be able to find a regulatory roadmap for medical devices across different regions? ( Seems to be a bit of a minefield and each country seems to have regulations relating to clinical risk management etc in place which must be met in addition to MDR etc). Sorry for early morning brain dump -hopefully makes sense. -
DR/BCP career
I currently have my CBCP. I am looking to further my DR/BCP career with ISO certifications. Which one(s) is/are best for me? -
Question on Stakeholder Requirements for ISMS ISO 27001:2013
1 - In the survey of Stakeholders for my ISMS, in what scenario may some suppliers have requirements that must be considered for the ISMS? Are requirements that they must meet for my organization regarding Information security or are their requirements that my company must meet with them in aspects of Information security? Currently my providers are: Microsoft (Azure + Office 365) Amazon (cloud services) Google (Corporate email) Zoom (Videoconference) Spamexperts (SMTP Relay) Turbo SMTP (SMTP Relay) Sophos (Antivirus licenses) A Provider of the data center of my private cloud An Internet access Provider in my physical Office. A Software Development Provider. A Provider of maintenance and support of User equipment A maintenance and support provider for my virtual servers A Provider that provides information security consulting services With Microsoft, Google, Amazon, Zoom, Sophos, a contract is not managed, I simply buy and pay for the service online. 2 - Could you give me some examples of possible requirements these providers have regarding the ISMS that I want to implement? 3 - What considerations should I take into account regarding these suppliers in my ISMS? -
ISO Control 15.2.2 Extended Support Request
Hello Advisera Team, We are currently preparing for our upcoming ISO assessment and wanted to reach out for some guidance on ISO Control 15.2.2 which is copied below. What would be the specifics that would be used for evidence to show that our organization is meeting this requirement? The bullets below highlight what our current process is and our associates would be able to speak to this, however there is no real documented procedure. • During contract negotiations third parties are asked to make ***aware of any relationship changes so a reassessment can be done. • Any significant changes with a third party will go through an IT change management process. • If changes occur to the type of data being exchanged to include sensitive data our scheduling team will bring awareness. • Periodic reassessments of third parties are completed by ***. “Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, should be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks.” Please let me know if you need further clarification on the above items.