Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Conformio Questions
*In the Procedure for Document and Record Control under #5- Managing records kept on the basis of this document: in the table under "Record Name", what goes there? We will be storing any external records pertaining to our ISMS in a folder on Confluence. What about the "Storage Location" - does that need to be a link or just "Confluence Folder" noted? -
Conformio risk register
I have a few questions regarding Conformio (trial). 1. First, a question about risk management methodology (the process) could you elaborate the logic behind that, is it different than in your toolkits (RA and RT) tables? Because, I haven’t used the vulnerability - threat approach, I am confused that you must choose applicable control to vulnerability and then again to threat? Or, are these applicable controls, controls which are already implemented safeguards in our environment? and we have to consider them when we do risk evaluation (the next step, these controls are already included in the risk level)? 2. Can you adjust controls also (make your own), or are there ISO A-attachments related controls only? 3. I can’t seem to adjust residual risk manually (after I have added controls appropriate to treat the risk), why is that? -
Conformio
1. ISO 27001:2022 How will the new ISO 27001:2022 affect Conformio and created policy documents? Is it wise to already aim for certification against the new standard? Does it make sense to already start implementing the new version and not the old one? 2. ISO 27001 marketing In a video accessible from Conformio, there's a statement that the time for the project manager is 0,5 day/week. That seems like too little to me if it also assumes doing consulting and guiding the organization through the certification process, such as reading, preparing, reviewing and approving documents, or performing the risk assessment and drafting implementation plans for controls. Also such statements undermine the work of project managers and consultants. What is the use of being a Lead Implementer or of all the information on your website if e.g. a secretary could run the project? -
Creating right road map to reach goals in optimal way
Actually, I have a project about ISO 27001 deployment in the company where I work. I have a lot of questions and information to know. How can I create the right road map to reach the goals in an optimal way. -
ISO 27001/Conformio questions
1. The Risk Register flow seems to be inverted. Can you explain why vulnerability comes before the threat? We were under the impression that we would first need to evaluate the threats related to assets, and then the vulnerabilities. 2. Regarding the inventory of assets - in Conformio we have a list of general assets, like computers, but we would like to have a separate document with a list of all the assets within our company, such as which types of computers we use. Is this needed for the successful implementation? -
ISO 27001 Scope
1. Do we have the ISO 9001 certification where its scope is "Customer Service and Telemarketing", is it possible to indicate the same scope on the SGSI? 2. If the YES is the answer on the scope of the ISMS, should it be included in the point 3.1 of the document on the scope of the ISMS? The inside of the point 3.1 must detail all the processes that interact within the "Service of Customer Service and Telemarketing” -
ISO 27001 Internal Audit practice and tips
Can you share some good practices when auditing ISO 27001 ISMS and Annex controls? Thanks -
What to do with legacy documents & materials
1 - I am looking at our options in regards to planning a roll out of an information classification and retention policies and tools to withing our organization to help users identify, classify, and protect sensitive data and assets for ISO 27001. Currently we have been filing all our information haphazardly in Dropbox. No standards. No management of the Dropbox folders ... so it's a mess. With 27001 we plan to setup a new structure in Dropbox and migrate/convert the Company documents/assets into the ring-fenced folders, and then freeze the existing Dropbox folders, with a long term objective of sun-setting the content. Is there a tried and tested method for this task. We have limited resources so it will take time to do. 2 - My other question is, will the auditors want to look at the legacy materials. Our aim is to put an ISO stake in the ground and have all relevant / supporting PowerX docs filed in the new folder structure. For ISO 27001 we will use Dropbox as the DMS, but will most likely migrate to alternative Apps/Software, such as Conformio in 2023. -
Risk Assessments in Conformio
1. Can assets be put in a hierarchy, so that filing cabinets can be seen as part of an office building, or firewall as part of a server? I think this would have benefits for overview and determining potentially assets affected by incidents related to other assets below or above in the hierarchy. I'm not sure whether this makes sense from a Risk Management perspective. 2. I see the same vulnerabilities for different assets, like inadequate change control for laws, regulations, etc but also for policies, procedures and work instructions. Is there a way to optimize this and to reduce the number of vulnerabilities? -
Question ISO 27001 implementation
I follow Advisera articles and Foundation Course now to learn about the implementation of ISO 27001. Thanks to all for this sharing. I want to ask you something if you could answer I will be pleased. I started to make an internship in a company and I research the steps of implementation ISO27001. This company is a small company and it's a sister company of another company. Bigger company and this company work in the same buildings right now, it even continues as an extension of the big company. Most of their assets are the same, their product and the employees are different. If this small company wants to get a certification, it is possible, right? The small firm wants to get certified In this case, I am confused about how ISO processes can be applied. Because every written procedure policy also affects the members of the other company. Awareness training will have to be given to them as well, and the management of the other firm will have to agree with it. In this case, should these two companies get ISO 27001 certificate together? Or can only this small firm get this certificate? Or should the two companies separate everything thoroughly before the certificate? Could you help about this point?