BLACK FRIDAY DISCOUNT
Get 30% off on toolkits, course exams, Conformio, and Company Training Academy yearly plans.
Limited-time offer – ends December 2, 2024
Use promo code:
30OFFBLACK

ISO 27001 & 22301 - Expert Advice Community

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Project Plan

    Do I have to put phone numbers and email address into the project plan I have left them blank and it is not allowing me to move forward??

  • Template for ISO27001 Audit program

    I just bought the termplate for Internal audit program, ISO27001 and I am wondering about the details. The template is very simple and doesn't really show how to ensure that the whole standard incl the security controls have been reviewed in a three year period which I understand is a requirement from our certification body. The template only includes detailing the areas (departments and processes for example) and other details such as methods, Criterias (which I understand would be iso27001 then) etc. 

    Isn't it also necessary to show in the program that we have a plan to ensure full review of the standard? And if so, how would you suggest this is inserted into the IA Program, using the Advisera template? 

  • How comprehensive and specific should we describe the implementation methods in SoA?

    Hi, I still struggle with the SoA. I know it's not mandatory to describe the implementation methods which is practical if I don't yet know what specific measures we want to implement. But in the next step (risk treatment plan), I have to provide information on human, financial and technological resources. This is only possible if we know fairly precisely how implementation is to take place.

    Isn't it better to describe the implementation in more detail? But what does that look like? For example, we have a project for log obfuscating that has been started but is not yet finished. It fits in with control 8.11 Data Masking. Do we then mention the project in Implementation at 8.11?
    What do we do with the controls that we don't yet know how to implement but think are important?  Only mention a policy that we will write, or a task that we need to re-work an existing policy?
    What do we do if we later realize that we need to implement technical measures?

  • Non-mandatory documents

    I'm preparing a checklist for ISO 22301 and I found the list of non-mandatory documents on your website. The list is a helpful resource, and I was hoping to gain some additional information about its source.   Specifically, I am curious if the list of non-mandatory documents is directly referenced within the ISO 22301 standard itself, or if it represents a compilation of best practices or recommendations from another source.

  • What do we do when our existing policies do not match Conformio's policies?

    Some of the policies that we have to create according to the Statement of Applicability already exist as pages in our company wiki. The Conformio policies and our policies will not be the same, I rather expect ours to contain more detailed rules. Because we are stil working at the SoA, I cannot check what exactly is written in the policies provided by Advisera.
    I know that there is the possibility to add custom paragraphs in the Conformio policies, but no custom headings can be added.
    What do we do if our guidelines and Conformio's do not match? 

  • Teleworking Policy and IT Security Policy

    Considering that the rules specified in the IT Security Plicy are the same as the ones n case of teleworking and that all our applicatins and SaaS is in the cloud, could we avoid to write a Telewroking Policy and state that the Teleworking is regulated by the IT Security Policy?

    Thanks

  • Risk treatment plan


    Is it necessary to implement a treatment plan for all identified risks, or is it only necessary to apply a treatment plan if a medium or high-risk is detected?

    I am asking this question because in my risk assessment, all the residual risks are low, and according to my policy, only medium and high risks should receive a risk treatment plan. I want to know if it's appropriate to leave low risks without a risk treatment plan or if I should create one despite all risks being low.

  • 3.4. Handling classified information

    In the Information Classification Policy,, to be more specific in 3.4. Handling classified information what exactly you want me to write down?

  • Custom Edit Documents

    I am just getting started with Conformio and I see a problem. The wizard shows a document with text stating a policy on something we do not do.  I see where I can add a paragraph, but how might I go about removing the text in the wizard that is not relvant to us?

    Specifically, it is the Procedure for Document and Record Control stating what we do with phyisical documents.  We are fully remote, and cloud-collaborative.  We do not have phyisical documents (or locations) in the ISMS scope.  And knowing our auditor, if he sees text about physical documents and how we handle them, he will want evidence.  

  • Recovery

    I just want to know if, in best practices, and according to ISO 22301, it is preferable, in case of need for recovery, to perform it fully automatically or require human intervention step by step.

    Is there a clause in the ISO 22301 documentation that specifies or describes this fact.

Page 1 of 543 pages