Search results

Home / Search

Category:
Select
Select

11271 results

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Economic operator definition

    If I understand correctly, they are distributors. Obligations of distributors are described in Article 14.

    Please, go through the article and if you will have some more questions, do not hesitate to contact us.

  • Policies specific to HR & Admin

    The "Statement of acceptance of ISMS documents" is the way used to enforce employees to observe all the documents prescribed by the organization in its information security management system.

    In Conformio there is no such document because the information about which user read which document is tracked automatically by the platform and can be accessed when needed (i.e., instead of a static document which needs to be signed every time a new document is released, in Conformio this information is provided automatically as soon as the user reads the document).

    You can see the details about which document was read, or not, by which user in the Responsibility Matrix, using the filter “One-time tasks” and searching for the title “Please read the document…”.

    Additionally, this information can be tracked also within each step in the wizard by checking the Version history for this document.

  • Report on selection of software technology

    ISO 27001 does not prescribe such a type of report. In terms of systems development/acquisition, one document you can take a look at is the Specification of Information System Requirements: https://advisera.com/27001academy/documentation/specification-of-information-system-requirements/

    The purpose of this specification is to document all requirements for new information systems, and for improvements of existing information systems. This information can be used as input for your report.

    This article will provide you with a further explanation about system development:

  • Questions about laws and regulations

    1. Is the information updated? Can we use it as it is? We operate in USA, Germany, China, also a bit in Spain, and England

    Please note that this list is not fully up-to-date because it depends on voluntary contributions from our readers. To make sure you have the latest list of laws and regulations, it would be best to hire a local legal adviser. You can use it as a starting point.

    2. Is this list valid for both the control A.18.1 Compliance with legal and contractual requirements and clause 4.2 Understanding the needs and expectations of interested parties? Or, what is the difference?

    You can use the information in this list to partially cover both clause 4.2 and control A.18.1.1 (you also need to consider contractual requirements).

    This article will provide you a further explanation about needs and expectations:

  • Conformio - Bring your own device policy

    Please note that the BYOD concept is related to all kind of devices that belongs to employees that are allowed to access the company’s information/information systems, so personal mobile phones are naturally part of the BYOD policy scope. In section 3.3 of this policy (Which devices are allowed), you can define which personal mobile phones, or other personal devices, are allowed to access the company’s networks.

    This article will provide you a further explanation about BYOD policy:

  • Template for guideline for testing and controlling measures for protection of information security

    We are not experts on German BaFin, but as a guideline for testing and controlling the measures for the protection of information security we suggest you take a look at this template:

    This article will provide you a further explanation about an audit checklist:

  • Data center questions

    1 - We can get a certificate for an empty data center? I mean that the data center is now empty without any IT equipment. The equipment will be connected later after we certify

    Please note that ISO 27001 is about the protection of information security, and if there is no information to be protected in your data center it cannot be certified against ISO 27001.

    2 - And what are the data center dependencies if my ISO scope is going to be a datacenter only?

    When the ISO scope is the datacenter only, examples of dependencies can be:

    • business units that use the data center (they define requirements for the protection of information)
    • manufacturers of data center equipment
    • providers of communication links and electric power  

    These articles will provide you a further explanation about defining the ISMS scope:

  • Purchasing and Evaluation of Suppliers

    Section 3.3 Evaluating suppliers and 3.4 Criteria for selecting suppliers are considered to the already approved suppliers. In section 3.2 is described the process of employing the new suppliers.   

  • Toolkit content - A.6.1

    Please note that control A.6.1.1 Information security roles and responsibilities is implemented in all templates of the toolkit (it does not require a separate document). Also, top-level roles and responsibilities are listed in the Information Security Policy.

    Controls A.6.1.2 Segregation of duties, A.6.1.3 Contact with authorities and A.6.1.4 Contact with special interest groups do not require specific documentation, so there is no need to develop a policy or procedure for them.  

    In cases like this, you only need to provide a record showing how it was performed. For example, for control A.6.1.2 you only need to provide a list of which activities were divided. For controls A.6.1.3 and A.6.1.4, you need to provide a list of which authorities / special interest groups need to be contacted. Since the presentation of this information can vary according to the information systems of each organization, it is unfeasible to provide a template for recording this information.  

    About control A.6.1.5 Information security in project management, here's an article that explains the details of its application:
    -How to manage security in project management according to ISO 27001 A.6.1.5 https://advisera.com/27001academy/what-is-iso-27001/ 

  • Context of the Organization, where is this in Conformio?

    Clause 4 (Context of the organization) of ISO 27001:2013 has 4 sub-clauses:
    - 4.1 Understanding the organization and its context – ISO 27001 does not require internal and external issues related to the ISMS to be documented. These internal and external issues need to be taken into account when defining the scope (please see the explanation below).
    - 4.2 Understanding the needs and expectations of interested parties – the evidence for this sub-clause is the list of applicable legislation and contractual requirements, available in the Register of requirements module, an in the List of Legal, Regulatory, and Contractual Requirements report, generated by this module.
    - 4.3 Determining the scope – the evidence of this sub-clause is the ISMS Scope document
    - 4.4 Information security management system – all documents and records created in Conformio are evidence for this sub-clause

    In case the auditor request evidence of clause 4.1, you can use the ISMS scope document and the Risk assessment and Risk Treatment report, because internal and external issues are used as input for their elaboration.

    This article will help you:
    - Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization) https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
Page 115-vs-13485 of 1128 pages

Didn’t find an answer?

Start a new topic and get direct answers from the Expert Advice Community.

CREATE NEW TOPIC +