Search results

Change Management in Conformio

Rules to manage documents within Confomio are defined in the Procedure for Document and Record Control, section 3.4 Document Updates.

Information about performed changes is recorded in the Change History table included in each document.

Residual risk

1 - In your experience what would you say about multiple risk assessments for in-scope Business units as opposed to one asset-based risk assessment for the company? I ask because I work for a large company with over 3000 employees and it’s hard to do one risk assessment for the entire company as different assets are owned and managed by different teams/Business units, and these even overlap sometimes, e.g. an asset may have multiple owners.

ISO 27001 requires that the risk assessment results are comparable, which means that you need to use the same risk assessment methodology in your whole company (no matter if the company is large or small). Of course, a larger company could perform the risk assessment in several iterations (or sub-projects), but it is important that this is done using a company-wide risk assessment methodology.

2 - How would you determine the residual risk scores after you have implemented the controls to manage risks identified? Do you create another 2 columns for impact and likelihood after the initial impact and likelihood assessment that resulted in the inherent risk scores?

Your assumption is correct. The residual risk must be recorded in different columns, so it can be possible to compare the values before and after control implementation.

For further information, see:

• Why is residual risk so important? https://advisera.com/27001academy/knowledgebase/why-is-residual-risk-so-important/

3 - In terms of scoping the risk assessment you mentioned using our ISMS scope statement, but our scope isn't based on assets but on processes?

Please note that while the proposed risk assessment is based on assets, these assets need to be related to the processes included in the ISMS scope statement, so the risk assessment makes sense to the ISMS.

Non-conforming products

1. who make the "UAI" ?

Is it always necessary to contact the Customer to approve the out-of-spec "dimensions"?

CISO role vs ISO 27001 implementer

In general, a CISO is a seasoned professional that has already been involved in information security management systems implementation (as a team member or project manager). For small companies (up to 50 employees) you can expect a CISO to manage the ISMS implementation. For bigger companies, you should consider designating additional personnel (e.g., other employees or an external consultant) due to the volume of work to be performed.  

About questions for the candidate, you can ask about his previous experience with implementation projects and his suggestion about how to implement it in your organization.  

For further information, see:

• What is the job of Chief Information Security Officer (CISO) in ISO 27001? https://advisera.com/27001academy/knowledgebase/what-is-the-job-of-chief-information-security-officer-ciso-in-iso-27001/
• What to look for when hiring a security professional https://advisera.com/27001academy/blog/2016/02/15/what-to-look-for-when-hiring-a-security-professional/

Implement ISO 27001 & ISO 22301- ISMS and BCMS Manual

Please note that neither ISO 27001 nor ISO 22301 require the development of a Manual, and for good reasons. If you put all the policies and procedures into a single document, this will make their reading very difficult and maintenance more complex.  

Since this is a requirement for a specific market need, we suggest:

• For ISO 27001 you can use the Information Security Policy and the Statement of Applicability as a single document to describe briefly how your company will implement its information security.
• For ISO 22301 you can use the Business Continuity Policy and the Business Continuity Strategy as a single document to describe briefly how your company will implement its business continuity.

This article will provide you with further explanation about ISMS Manual (the same concept applies to BCMS):

• Is the ISO 27001 Manual really necessary? https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/

This material will also help you regarding ISMS documentation:

• Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Can the same person prepare and review document?

Yes, the person that prepares a document can be the one who reviews it. Please check ISO 9001:2015 clause 7.5.2 c). Can you see any limitation imposing the separation between who prepares and who reviews? There is no such limitation.

Filling Procedure for Document and Record Control

Since you are also implementing ISO 22301, then you need to go with your second option, and put an “and” in between ISMS and BCMS.

How to update policy in Conformio?

1. How can this modification be tracked in Conformio?

Please note that each document itself contains a “Change history” section which provides information about previous and current versions (e.g., approval date, approver, description of the change, etc.)

In Conformio, in the section “Documents”, accessed through the left side panel in the main screen, you can access the “Policies and procedures” folder where you can find all policies and procedures generated by Conformio.

2. What evidence can be presented and where?

As evidence of control of policies and procedures changes you can also show the Change history record.

Are CRM certificates considered external documents?

Yes, CRM certificates are external records. Any information that is required by the laboratory, but not created by the laboratory, is an external document.
Note that they require correct control as the requirements of clause 6.4, Equipment, apply to CRM certificates too. This means that the reference data needs to be verified as fit for use, providing sufficient information to maintain confidence in reference material. The storage and handling of the Reference data, including results, acceptance criteria, relevant dates, and the period of validity must also be controlled.