Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Is Conformio for us?
*** has several offices around the globe and has a total of around 1000 employees. If all offices will be within our scope, can we still use Conformio to get our objective? -
Question about ISO-27001
I'm writing to ask about the requirement for a remote-only organization to own an office space in order to become ISO-27001 certified. The question has been partially answered here: https://community.advisera.com/topic/certification-of-remote-companies/ The answer explicitly states that we should ask our CB, which we have done, but since they are not allowed to provide advice beyond what is necessary for the audit (to avoid conflict of interests, I assume), I was wondering if you could provide some additional guidance on this. Namely, whether the location to be audited has to comply with some minimum requirements in terms of size, amenities, equipment and others. 1 - Would it be acceptable to rent a bare office where no actual work happens? Wouldn't that mean that risks at the office location are being minimized or eliminated altogether and that the security control A.11 (physical and environmental security) becomes non-applicable? 2 - How does that compare to a rented room or desk in a co-working space? I understand that the answer may depend on the CB and/or the kind of business being audited, but some generic advice would already be helpful for us to know our options on this matte -
ISO 27001 Risk Assessments
When conducting an ISO 27001 risk assessment? Are the risks identified through the ISO 27001 controls themselves or are they just random risks that our business identifies? -
EU GDPR & ISO 27001 Integrated Documentation Toolkit questions
1. We have completed the GDPR Assessment (file 1.1) and most of the answers are negative since we have just started working on the GDPR as well. It's mentioned in the file itself that "If you answered, “No,” to some questions, it will indicate where you need to focus your compliance efforts." Does this mean that we have to first work on what is missing from the GDPR hence, turn the "no's" into "yes" and then proceed with the ISO documents (Requirements, ISMS Scope etc.)? Or is there a different process we should follow? 2. Once we finish the first draft(s) of our ISMS scope, we would like you to review it as part of the package services we have purchased together with the documentation. Is there a certain procedure we should follow? Given the fact that the Scope is the baseline for implementing ISO, we believe that it would be wise to ensure that our ISMS scope is reasonable and meets all the necessary features. -
Merging IT Infrastructure and ISO 27001
As always your input is appreciated, and I hope as a result of my questions, and them being answered many can benefit too by when they visit Advisera. As a company we have recently acquired a business, we are currently ISO 27001 certified they are not. We are bringing their IT asset, infrastructure under our control. IN-terms compliance wise from ISO 27001 perspective are there things we should be doing/checking to remain compliant for the ISO 27001 certification? and standard. -
Where do requirements in the area of 'Specifying mandatory safeguards' go?
When I add a requirement and add it to the area of 'Specifying mandatory safeguards', I do not see it appear in the Statement of Applicability or Risk Treatment Plan. So where do these requirements appear in the later workflow and how do we keep track of implementation, etc. -
ISO 27001 Toolkit Support
I would like to see if you can provide any advice on how to approach the ISO 27001 toolkit. We had a third-party internal audit that was quite brutal and while I thought I ticked all of the boxes as per the Advisera toolkit, it was clear that these documents were very inadequate for us. We failed the audit miserably, and I am left even more confused than ever before. I have many examples, but I want to start with one in particular. For A.6.5, the 2022 version toolkit says I need to use the Confidentiality Statement (09.22). Yet the guidance in 27002 for 6.5 states requirements that the confidentiality statement does not address. In our audit, I supplied the confidentiality statements as well as a work instruction to remove access upon termination. The auditor's comment was "The leaving procedure of people is only technical; Must be reviewed with HR point of view." Saying nothing about the confidentiality statement. Can you help me understand how the document pack addresses this control? Hopefully we can unlock the mystery of all of the other missing items for me. -
Identification of processes and activities
Hello, I hope all is well with you guys. My question is about identifying processes and activities for BIA analysis. In the BIA form from Advisera, we analyze activities. For the purpose of the example, the activity "Call Center" was typed in. Have you ever considered identifying processes and activities according to the Process Classification Framework from APQC? In this 5-step classification, activity is a very detailed part of the process: Which one should I include in the BIA analysis? ISO is very vague in this regard with a vague division between process/activity/task. PCF gradation: 1 Category 1.1 Process Group 1.1.1 Process 1.1.1.1 Activity 1.1.1.1.1 Task Example of PCF gradation 6.0 Manage Customer Service 6.1 Develop customer care/customer service strategy 6.1.1 Define customer service requirements across the enterprise 6.1.2 Define customer service experience 6.1.3 Define and manage customer service channel strategy 6.1.4 Define customer service policies and procedures 6.1.5 Establish target service level for each customer segment 6.1.6 Define warranty offering 6.1.6.1 Determine and document warranty policies 6.1.6.2 Create and manage warranty rules/claim codes for products 6.1.6.3 Agree on warranty responsibilities with suppliers 6.1.6.4 Define warranty related offerings for customers 6.1.6.5 Communicate warranty policies and offerings 6.1.7 Develop recall strategy 6.2 Manage patient care outreach programs 6.2.1 Develop and implement patient care outreach programs 6.2.2 Monitor and evaluate outcomes of patient care outreach programs 6.2.3 Cycle outcome results into design of patient care outreach programs 6.2.4 Monitor participation and compliance with patient care outreach programs What do you think about it? Kind regards, E. -
Unable to edit the project plan
If we implemented a project plan some time back, lets say we want to tweak a new plan that is forward looking - is that possible ?
The project wording in conformio that is unchangeable seems to suggest that after an initial implementation project there is no ability to record or manage other discrete projects using the conformio wizard..
An example project item might be to enhance our monitoring capabilityIs it the case, that instead of a future project plan/s as such , the way forward for all mini projects is to capture all tasks as part of corrective actions etc ? i.e. the conformio project planning module is purely for initial implementation ? i.e not to cover post implementation exercises ?
Look forward to your response, so I can advise business senior management and the auditor accordingly
-
ISO 27001 Internal Auditor Exam - Expert Question
Do you add or multiply to find risk? For the risk assessment to you add or multiply the impact and likelihood of risk? ISO 27001 under risk assessment the 3rd module called risk assessment it has a chart that has them added together and on the video he states they can be added or multiplied. So I wanted to clarify, is it actually both if they ask on the exam?