Tag: "Product: Conformio" - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Clause 4.1 in Conformio

    How to satisfy ISO 27001 standard clause 4.1 in Conformio? Please advise.

  • IT Security Policy too narrow

    We are using the wizard to create the IT Security Policy, and we found that the context in the IT Security policy is too short and seems that it cannot meet the requirements of ISO 27001. For example, the context in the IT Security policy didn't make any references to SOA controls. How would you advise how we can complete the IT Security policy according to the ISO 27001 standard?

  • Necessity to include specific user

    Hi, as an IT Security Engineer I am the "Project Manager" for our company (as a role in Conformio). We have a senior project manager at our company as a consultant for ISO27001. He is sporadically consulted on our documents due to his experience in ISO certification. Do we need to include him in our Conformio and documentation or not with regard to the ISO27001 standard or not?

  • Certification process of sister company

    The majority of our finance, HR and other major departments are managed by our parent company, but our sister company wants to become ISO 27001 certified. How do we manage the certification process? Please note that we will require access to the HR and finance departments, for instance. Additionally, we are headquartered in site A and have a branch in site B, but we wish to obtain certification only for site A. How are we going to treat our employees in site B and under which category should we put this?

  • Add Further Reference Documents

    Hi firstly, thank you for creating a great product. We have a few further reference documents that we would like to include as part of the ISMS. These are related to our regulatory requirements, we should include the Australian Governments Information Security Manual (ISM) and Right Fit for Risk (RFFR). Can I please confirm the best way to add these two key documents?

  • Requirements for MSP Company Regarding Supplier Security Policy

    What requirements are there for an "MSP* - managed service provider" type of a company regarding Supplier Security Policy and Security Clauses for Suppliers and Partners? I am curious about the data exchange, as the only data exchanged was in the data servers and we are not sure if there is anything necessary for us to do in that regard.

    * managed service provider (MSP) is a third-party company that remotely manages a customer's information technology (IT) infrastructure and end-user systems.

  • ISMS Roles and Organisation within Conformio

    I’m trying to set up the ISMS organization roles for the ISO27001. Are there any guidelines about the necessary roles? Or some examples of how ISMS organization should look like and map to the Conformio roles?

  • Justification and control objectives

    I am currently running back through the statement of applicability, and was wondering what is expected of us when it comes to the audit for the justification and control objectives column. I don't necessarily have legal or contractual reasons for justifying some controls, but they still apply. For example, we are fully remote so teleworking applies. Am I allowed to fill the justification in for this with the reason being that we operate on a remote structure?

  • Incidents

    Below are the reasons why numerous incidents need to be removed:

    1. We created just for testing.
    2. We recently changed our incident management procedure in a way that incidents which are already put-in are not really relevant.

    Since currently incidents from the Incident Register cannot be removed, What are we supposed to be doing now with respect to external auditing? We are quite concerned that numerous incidents contradict the incident procedure and can be marked as non-conformity which will cause a failure. ( Client wants to remove incidents under the incident register in Conformio, but for now, we do not have the possibility to delete)

  • Audit point

    The auditor has indicated that there are a number of 2021 policies where we cannot demonstrate per date stamping in Conformio that the policies are valid/current in 2022. we don't want to change anything in the policies (e.g., information security policy), but how can we demonstrate that an older policy is still valid in 2022 given it is date stamped 2021.

Page 1 of 8 pages