Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
What is the main difference between ISO/IEC 27701:2019 and ISO/IEC 27701:2025 ?
What is the main difference between ISO/IEC 27701:2019 and ISO/IEC 27701:2025 ? Any new information as its the latest news in the ISO world. Please throw some light for the same. -
record about Phisical and Electronic correspondance
Hi In the first "Procedure for document and record control" we have one paragarpahe related to phisical and electronic records and when i choose for both Excel file the sentece become wired Each external document that is necessary for the planning and operation of the ISMS must be recorded in the Register of external correspondence in Excel or in the Register of external correspondence in Excel, according to their form. The Register of external correspondence in Excel and the Register of external correspondence in Excel must contain the following information: sender, document name, and date of receipt. The person who receives such external documents in paper or other physical forms (e.g., through regular mail or as courier parcels) must make a record in the Register of external correspondence in Excel. The person who receives external documents in electronic form (e.g., through email) must record them in the Register of external correspondence in Excel. hiw can we modify that paragraphe ? Also when we subscribe and get a quick workshop on getting started with confirmi, the person who present the tool told me that an update will be available wher we can modifiy the documents in a more flexibale way with teh possibility to ad headers and footers like in world can you tell me when it will be available ? thanks Ed -
Risk level = 4, how to bring the residual risk at zero
Hi, In Conformio, I’m currently in the Risk Register phase, Treatment step. When both Impact and Likelihood of my risk are set to 2-High (Level set to 4 – Not acceptable), I’m not able to bring the residual risk at zero. It remains at one, even when selecting all suggested risk treatment controls (safeguards). What should I do to bring the residual risk at zero? Or should I rather accept this residual risk of one? -
Reviewing incidents in Conformio Management Review
We are trying to use the Management Review process implemented in Conformio, to maintain our ISO 27001 compliance project. One of the items in MR is reviewing the recent incidents. The incident records in the Incident Register do have an attribute to indicate their review status, but I could not figure out how to toggle that to Reviewed, after we perform the actual incident review. Please, can someone advise on the correct procedure?
-
UPDATE ADDRESS
If you plan to move the department of the system to another address then have to update what records? Note: Only use the network of the new address, the rest is managed according to the old system. Thanks! -
Secure Development policy
There is a paragraph in the Secure development policy which states: In addition to the risk assessment performed according to the Risk Assessment and Risk Treatment Methodology, Head of RD must perform the annual assessment of the following: the risks related to unauthorized access to the development environment the risks related to unauthorized changes to the development environment technical vulnerabilities of the IT systems used in the organization the risks a new technology might bring if used in the organization the risk a new development methodology and/or programming language might bring if used in the organization the risks related to licensing requirements The question is, is this assessment to be done in the Risk Register or is it an additional document that needs to be drafted by the Head of R&D? Thanks -
Confidentiality Statement
We are drafting the Confidentiality Statement through Conformio. To do this we have downloaded a template which should be edited based on the specific clauses are required in the company. This document should involve both employees and external parties. The issue is that we do not have a single document for all. For example for the employees the confidentiality statements are added in the employement letter which also references the employee handbook which has additional clauses, while for third parties there is a specific NDA. So the question is, how am I supposed to say all this since I have a single template? Best Regards -
Edit Risk register
Hi there We want to edit the Impact and Likelihood fields for certain risks on the Risk Register. How do we do this? thank you. -
Access Control Policy - Managing Records
Hi All,
I'm drafting the Access Control Policy in Conformio.
At chapter "4. Managing records kept on the basis of this document" it asks for the management of 2 types of Records.
one is quite clear, it demands the management of an Access Control Review register.
The second one instead is not totally clear to me, what I don't fully understand is if we need to keep a register for only tracking the privileges (access rights granted to roles or users that usually wouldn't have them) or if we need to track every single access given to all the employees on all the used applications.
Can someone suggest what should be tracked?
Thanks in advance
Best Regards
Igor
-
Access Control Policy - Map Job titles to User Profiles
I am drafting the Access Control Policy in conformio.
In the section 3.2, I initially have drafted the User profiles, Applications and access rights for each SW that we are using.
Then I need to map the User Profiles to the job Titles.
The question is: When mapping the Support Administrator profile, can I simply map to the Job title "mid management" or do I need to specify Support Mid Management?
What I mean is that it is obvious that the Support software administration will never be assigned to the HR Mid management, but do we need to be specific when drafting the mapping between a User Profile and a Job Title?
Will an auditor accept a high level definition?Thanks
Best Regards
Igor