Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Context of the Organization, where is this in Conformio?
Where in Conformio are clauses 4.1, 4.2 and 4.3 addressed? We completed stage 1 a few weeks ago and the auditor listed this critical finding "Cl. 4.0 Context of the Organization is not determined" We are scheduled for stage 2 in 1 week, and need to find/create this document fast. -
Corporate using of Conformio
Thank you for the following… I’m already testing the 30 days trial Conformio platform, it look’s very interesting! I have one question related to the corporate using of Conformio, I work in a mid-size company that has 2 different business units, if I want to implement ISO 27001 for both business units in a different timeline, Do I need to purchase 2 licenses of Conformio? or just with one license Can I manage the ISO 27001 implementation for both? For example, one this year and the other in 2023? Those B.U. are not different companies, but they have different structure with different IT departments for example and different interested parties for the ISO 27001 certification accomplishment. -
SoA - controls
When a status of a controls says "Planned" and there is no document but only a task there, does this mean we need to develop our own policy? For example control A 6.1.2. has the status "Planned" however the implementation method is a task and there are no documents :
How do I cover this and controls with similar status? Do I need to develop my own policies in that case?
-
ISO 27001 Risk Assessment
We are currently working on our asset register and risk assessment for ISO 27001. One thing that we are a bit unsure of is the column "existing controls" in the risk assessment table and how existing controls affect the risk treatment and the SoA. 1. What would you say counts as existing control and how "secure" does it need to be to lower the risk level? (documented, implemented as a process, etc.?) 2. If the already existing controls lower the risk level, which we suppose it does according to your video lessons, then the risk level might be so low that the risk doesn't need to be included in the risk treatment. And if it doesn't need to be included in the risk treatment, then we don't need to implement a control from Annex A to cover this risk? Have we understood this correctly? It seems a bit wrong to exclude Annex A controls that actually should be applicable. -
ISO 27001 query
I have a question. For an organization that having servers on premise and on cloud, to comply with 12.4.4 Clock synchronization: All systems should be configured with the same time and date. Which servers in the cloud that should have the same time as the servers on premise: SaaS DaaS IaaS or none of the cloud should sync? -
Toolkit content
I am responsible for updating our ISMS, while I am missing a template for the recovery process (start-up plan), which is under A17.4.5, is not enough for me, I have to define which server or service or process has to be restored first, or what dependencies there are. Do you have any further documents? -
Security asset inventory
Although there is information about creating an asset inventory, and what needs to be in it, it doesn't feature in any on the implementation steps. I normally create one before doing a risk assessment and use the content for the risk assessment so there is cross mapping, I'd be interested to hear your thoughts. -
Query on SOC 2 certification
I have a query, how much of this documentation can be reused if the organization also wants to pursue SOC 2 certification ? -
Conformio - acceptance of residual risk in reports
My recollection is that where the residual risk was 3 or more, i.e., unacceptable, we reviewed the risk and the risk owner could decide to accept the residual risk. The fact that the risk owner accepted the risk does not seem to be recorded anywhere in the reports. Where can I find that? I can’t see where we say that a residual risk is accepted