Tag: "Product: Conformio" - Expert Advice Community

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Guidance on Missing ISMS Documentation and Implementation Drafts

    1. We have the initial audit with external agencies to get the accreditation, and an agenda for the one-day assessment on November 21st has been sent to us. Please find the attached image which details the ISMS Document review. However, we are missing documents for Compliance, Operational Security, Communication, Development Security, Incident Processes, and Business Continuity Management. Could you please confirm if there are drafts available or advise on how to proceed, as I'm unable to locate them in the Conformio tool? Your guidance on this matter would be greatly appreciated.

    2. Additionally, for ISMS Implementation, there is a requirement for Design, Development & Test, and Facility and Asset Management. I have checked the documents, as well as the Conformio tool, but I couldn't find any drafts pertaining to these areas. Can you please advise on this?

  • Question on risk register and selection of the assets

    I have a question about which assets to select in the risk register, for instance, in the IT and communication equipment category. We certify Company A, which is a subsidiary of Company B. The equipment Company A uses (server rooms, servers, desktop computers, notebooks, and small stuff) belongs to the Company B and Company A rents it. The alarm system and key cards are also provided by the Company B for the subsidiaries. Do we only select assets that are owned by Company A, or all assets that are used by Company A?

  • Initial Risk Assessment Non-conformity

    At our last surveillance audit our assessor raised a non-conformity on the basis that our initial risk assessment, showing many of the risks as being acceptable i.e. scoring less than 3, did not show any justification for why we made that assessment and Conformio doesn’t require that. Our assessment would have been based on the controls etc already in place at that time.

    Obviously, you are of the view that when making the initial assessment, it’s not necessary for us to record why we make that assessment.  What is the reasoning behind this?

  • Creating the Register of Legal, Contractual, and Other Requirements

    I'm in the process of creating the Register of Legal, Contractual, and Other Requirements.

    Q: how specific do I need to be? Is this where I list all our clients, suppliers, etc etc or do I give more top-line information and detail the specific interested parties later on?

  • Clarification Regarding Control Review Frequency in Policy Documents

    I wanted to clarify that all the policy documents we've prepared specify a requirement for a 6-month review. However, the specific controls we discussed are not mentioned in the documents. My question is whether, according to the policy, we need to review the controls every 6 months or if we have the flexibility to define the update frequency for the controls ourselves, separate from the document reviews. Please refer to the attached image for more details.

  • Certification scope

    As we have two entities, one in Site A operating under the supervision of the regulator and 2nd in Site B providing services for the Site A entity, a few things to clarify:

    • Is the setup, documents, actions etc. enough for both entities, or I will have to prepare two different setups?
    • Also do we have to pass an audit to certify both entities or only the regulated body is enough?

    In addition to that, the situation now is slightly changed as we have another regulated entity in Site C and I need this to be added in the answer. I need clarification on how to action as we have now in total 3 companies under Company:

    Company A - the Site B company that is providing services for the rest of the companies

    Company B - the Site A-regulated company

    Company C - the Site C-regulated company

  • Conformio questions

    We just have a question regarding the documents and then we are happy to upgrade.

    I generated Information Security Policy using the document wizard, but it was missing the following  information:

    • Exception Handling: How exceptions to the policy will be managed is not stated. Usually, there's a process for requesting an exception and how it's reviewed.
    • Consequences of Non-Compliance: Outline what the consequences are for employees who do not adhere to the policies.
    • Links to Other Policies and Procedures: Usually, the top-level policy should link to or reference other detailed policies and procedures (e.g., Access Control Policy, Incident Response Plan).
    • External Parties: You mention that the policy applies to 'relevant external parties'. It might be useful to specify who these external parties are (vendors, contractors, etc.).
    • Review Frequency: You've stated the document must be reviewed every 12 months. It's good to also mention under what other conditions a review would be triggered (e.g., after a security incident).
    • Audit and Monitoring: There's no mention of how compliance with this policy will be audited or monitored.
    • Document Storage and Versioning: Information on where this document will be stored, how it will be versioned, and who will have access should be added.
    • Terminology: While you've defined basic security terminologies, the inclusion of more specific terms used in the document might be beneficial.

    Is there something we missed during the document wizard or anyway to generate the complete document?

    Since we need to provide these policies to our customers and want to pass ISO 27001, that would be great to know how to generate the complete document.

  • Apply procedure for document and record control only to information security policies in Conformio?

    In the Conformio implementation step "Procedure for document and record control" the document Purpose states "This procedure is applied to all documents and records related to the ISMS", how can I change that?

    However the Requirements sections reads "You may choose whether these rules apply only to information security policies, procedures, plans and records, or to the documentation for your whole company."

    How do I change the document to reflect that?

  • Scope

    In the case of a group of three companies (A, B, C), company A is to be certified. All three companies have their own, independent customers and suppliers. The servers and network components of all three companies are located in the data center of company A. How must the SCOPE of company A be described if the servers and network components of companies B and C are NOT to be part of the certification?

  • Conformio roles

    My name is the only available user for the steps in Conformio. What other users/roles would you recommend that I add? (Or does that actually come later in the process? The guide says I should not skip any steps, but at the same time I feel I need some new roles and users in the system)

Page 1 of 12 pages