Search results

Conformio documentation

1 - Clause 7.4 – Communication ( how to evidence the communications plan).  Where do I find this information on the system?

Answer: Communication is an activity that is performed by many processes in information security, with different purposes, so in general, for medium and small businesses there is no point in creating a centralized communication plan, because it would be to complex to use and maintain by people responsible for communication.

For small and medium-sized organizations information related to communication, communication activities are defined in documents like:
- Information Security Policy
- Incident Management Procedure
- Disaster Recovery Plan

Each of these documents specify who needs to communicate what.

Additionally, there is some communication that is performed outside of Conformio – e.g., through emails, Slack, verbal, etc. 

2 - Clause 8.1 - Operational planning and control (To see the ISMS Calendar/Planner). Where do I find this information on the system? 

Answer: The ISMS scheduled activities (i.e., action, responsible, and frequency) related to implementation and control of information security processes (e.g., risk assessment, monitoring and measurement of controle and security objectives, internal audit, etc.), as well as of those activities related to management of necessary documentation (e.g., policies and procedures) can be found in the Responsibility Matrix. This matrix is developed based on the activities defined in each approved document (i.e., when a document is approved the activities defined on them are included in the responsibility matrix). 

3 - Clause 9.1 - Monitoring, measurement, analysis and evaluation (To see the measurement & Metrics and measurement results).  Where do I find this information on the system?

Answer: You define required metrics and measurements in the “Setting up Management review” step. Achieved results can be found in the “Reporting dashboard” and in the “First Official Management Review” step.

4 - Clause 10.2 - Continual improvement (To see ISMS continual improvement log).   Where do I find this information on the system?

Answer: The information about continual improvement can be found as corrective actions defined in the Nonconformity module.

5 - A.18.2.2 – Report of information security compliance monitoring from various Managers/Heads of Heads or plan of action. How do I capture or evidence this in the system?

Answer: First is important to note that the specific requirements to report compliance need to be identified through the “Register of requirements module”. This module will identify which laws, regulations and contracts you need to comply to, and by reading these requirements you will identify how to evidence compliance (e.g., by releasing a report, by performing an audit/management review, etc.)

Considering that, some examples of elements that can provide evidence of compliance are audit reports (through the Internal Audit Module), management review minutes (through Management Review Module), and the Dashboards in the Reporting Module.

6 - and Finally, How to use Conformio to test the effectiveness of the ISMS in the organization?

Answer: To find out if ISMS is effective, you need to perform two activities:

1) Internal audit - in Conformio you have a separate step for that purpose that takes you to the Internal audit module. 

2) Measure if the ISMS is fulfilling the objectives - in Conformio you can find this in dashboards in the Report module.

CRM Document Management

Your approach for embedding document management into your CRM will be acceptable by the auditor provided you comply with the standard’s requirements (clause 7.5):

• How, and by whom, documents are approved?
• Who needs to access the documents and how do they do that
• How documents are protected
• How documents are changed
• For how long documents are kept and how they are disposed of when do not need anymore

Please note that if it is not possible to use the CRM to comply with all requirements you can still use a combination of CRM and Conformio to achieve compliance.

For further information, see:

• How to manage documents according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2021/06/27/how-to-manage-documents-according-to-iso-27001-and-iso-22301/

ISO/IEC 27001 Audit

In fact, such a situation is unusual, but not a sufficient reason for a problem. The auditor will probably make additional checking, considering:

• which conditions you have defined that require opening a non-conformity. For example, in some situations, one or two minor events related to the system may happen, and the system performance still is at acceptable levels, so raising a nonconformity is not required.
• reports on the performance of implemented controls, to check if they were working properly considering the period audited.  

Based on the evidence found related to systems performance conditions and reports about controls performance, the auditor may conclude that in fact, the system is reliable enough and that the lack of incidents and non-conformities (or the low number of incidents and lack of non-conformities) is justifiable.  

For further information, see:

• Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/

Approved Certification bodies

Thanks for your response Rhand, this helps.

ISMS audit

I will keep it as my guidance in after audit programs, thank you.

ISO 13485 for trading of medical devices

If you only make export and import of medical devices, It is not a regulatory requirement to be ISO 13485 certified. What is expected from the importer and distributor of medical devices is stated in Article 13 and Article 14.

For more information, see:

• EU MDR Article 13 - General obligations of importers https://advisera.com/13485academy/mdr/general-obligations-of-importers/
• EU MDR Article 14 - General obligation of distributors https://advisera.com/13485academy/mdr/general-obligations-of-distributors/

• Planned implementation of changes to ISMS

  Please note that ISO 27001 clause 6.3 does not require a specific document to be developed to manage changes in the ISMS.

  Considering that, you can use one of these documents to manage changes:

  • Risk Treatment Plan, located in folder 08 Implementation Plan - through this document you plan for each new security control, process, or activity
  • Change Management Policy, located in folder 09 Annex A Security Controls
  • Security Procedures for IT Department, located in folder 09 Annex A Security Controls

  For further information, see:

  • How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

  • Toolkit documentation

    Please note that ISO 27001 does not require documents to be developed to implement controls A.7.5 and A.7.8, so a brief description of their implementation can be included in the Statement of Applicability, and this template can be found in folder 06 Applicability of Controls (in this template a suggested text on how to document this information is included).

  • DR distance

    Please note that there is no definitive answer about how far apart a disaster recovery site should be.

    Main ISO standards covering this topic (ISO 27001, for information security, and ISO 22301 for business continuity), as well as most regulations and industry practices, do not define any specific distance to recovery sites, because many factors can affect what would be considered a “safe” distance (e.g., type of disaster, access to public services, risk level, etc.). From our experience, we suggest you start a discussion suggesting a distance between 30 miles (50 kilometers) and 100 miles (160 kilometers) away from your primary location, and from that analyze your organization's context (a geographic situation, available resources, required investment, etc.).  

    This article will provide you with a further explanation of the distance of the recovery site:

    • Disaster recovery site – What is the ideal distance from primary site? https://advisera.com/27001academy/knowledgebase/disaster-recovery-site-what-is-the-ideal-distance-from-primary-site/