Tag: "Product: Conformio" - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Custom Control Creation

    Having operating system software and databases that are at the end-of-support life cycle is a serious and ever-present vulnerability in any IT operation. I do not find this vulnerability in Conformio. I then tried to create this vulnerability, but I could not find a suitable Control from the list that is presented for selection. Conformio does not allow me to create a new control. Software and Database maintenance updates would be an appropriate control. This also applies to the vulnerability of using software that is not current. Please advise how I should proceed to create this new vulnerability.

  • ISO 27001 certification

    My company was certified on ISO 27001 in 2019 and re-certified in Oct 2022. I am now implementing Conformio to help me in the on-going maintenance of the ISMS for future audits. I have just completed setting up the risk register and risk evaluation. Based on the controls that we have put in place over the years, all the risks are at acceptable level. Our company business have been around for 30 years and we have a stable operating environment. Conformio shows a Warning message that there should be at least 10% Unacceptable Risk items to complete the Risk Register Step and to pass the certification.

    a) Is it necessary for me to artificially amend the risk evaluation to achieve the 10% Unacceptable risks?

    b) Will the certification auditor not pass the certification audit if there is no risk treatment actions?

    c) What is your recommendation?

  • Clarification on ISO 27001:2022 certification

    Good day. In the context of the current implementation of ISO 27001:2022, and towards certification, I ask if guidance may please provided, regarding the following: We are a company of around 60 employees. We are working towards implementing the standard throughout the company; and risk assessment has been done accordingly. We have come across a doubt, however. While our line of business includes manufacturing and also services providing, we also plan to offer a cloud-based platform, accessible to customers via access credentials, where they can access information related to the equipment/services we provide.

    1 - From the implementing/certification point of view, shall the described be considered globally, all included in the implementation/certification, or rather, is it possible or advisable to separate them? I.e., consider the platform separately, with its own certification.

    2 - If they were to be separate, how would this even be managed in Conformio?

  • Setting up and passing the audit

    As we have two entities, one in Site A operating under the supervision of the regulator and 2nd in Site B providing services for the Site A entity, a few things to clarify:

    1 -Is the setup, documents, actions etc. enough for both entities, or I will have to prepare two different setups?

    2 -Also do we have to pass an audit to certify both entities or only the regulated body is enough?

  • Residual Risk Question

    The risk assessment and treatment plan output document includes only the risk rating before the measures to mitigate risks. The auditor would like to see the measures taken to mitigate risk and the residual risk level in the output document. This information is available in the software but not in the pdf created by Conformio.
    Could you please add this information to the pdf document?

  • Procedure for document and record control

    We are actually working on the document ’PROCEDURE FOR DOCUMENT AND RECORD CONTROL’

    For ***, I am guessing whether it can be Conformio Platform or not.

    Each external document that is necessary for the planning and operation of the ISMS must be recorded in the *** or in the *** according to their form. The *** and the *** must contain the following information: sender, document name, and date of receipt.

    The person who receives such external documents in paper or other physical forms (e.g., through regular mail or as courier parcels) must make a record in the ***. The person who receives external documents in electronic form (e.g., through email) must record them in the ***.

    Question : I would like to know if we can use Conformio instead of CRM ( which makes no sense in the case)

  • Code of Conduct

    Hi Team, can you please let me know how I can create our Code of Conduct please? thanks.

  • Sample document

    We have recently completed a sample document; however, is there a document equivalent to create within Conformio that may have a different style or format?

  • ISO sign off on staff policy

    ISO 27001 requires that staff sign off on policies that have been distributed to them and that are applicable to them.
    I couldn’t find a mechanism in Conformio that provides a mechanism for this.

    Can you please let me know how to handle this requirement?

  • Register of requirements: Granularity of entries

    Regarding the Conformio Register of requirements: I don't understand how granular the entries should be (recommended or required by the ISO27001:2022 standard). We have a lot of contracts with different customers but the contracts themselves have the same content. Should we create a new entry for every customer contract or would it be sufficient to create a general entry for all contracts with the same content? Or should we even create a new entry for every requirement of each contract of every customer?

Page 1 of 9 pages