Guest
In the case of a group of three companies (A, B, C), company A is to be certified. All three companies have their own, independent customers and suppliers. The servers and network components of all three companies are located in the data center of company A. How must the SCOPE of company A be described if the servers and network components of companies B and C are NOT to be part of the certification?
My name is the only available user for the steps in Conformio. What other users/roles would you recommend that I add? (Or does that actually come later in the process? The guide says I should not skip any steps, but at the same time I feel I need some new roles and users in the system)
We like to have the development and QA departments of *** certified. But we like to include the hosting of our cloud service (which is done by our holding company) in all the documents already now. We have been advised to do so because we like to keep the scope small for the initial certification but extend it later. I'm now working at the Register of Requirements. How can I make transparent which requirements are for Dev/QA of *** and which are for the holding (in other words, what is in the certification scope and what's for later)?
What sections or where would the handling termination and change of employment with ISO 27001 be located? Not sure how where to find that.
1- Why are confidentiality, availability, and integrity not considered in the Risk assessment? and how Conformio is addressing them.
2- Why is there no prioritization for actions in RTP? This should be identified based on the risk levels.
we only see a list but it's not based on the risks identified.
Dear Team - how can we generate a communication register for the 7.4 clause? We were asked for Communication Register.
Underneath the register of requirements where I am asked if I am compliant with the Computer Misuse Act am I expected to have a policy or do I read and agree to the terms?
I am a bit confused.. 🙃
How do you go about versioning and labelling when using a tool like Conformio? Or is it not relevant in this case any more? Everywhere I look it says SoA has to be a document with the version control, classification label, etc. on it. In case of an online database this would not be the case.
But how do auditors react to this fact? Is it fully ok to use 21 century inventions like this? 🧐
1 - For instance, in documents like SECURITY PROCEDURES FOR IT DEPARTMENT and IT SECURITY POLICY, record names, storage locations, etc. must be specified. So my concern is, how will it be if we are progressing with IT Security policy and have to write the same document name in the record name? According to my understanding, if we define a record name, there would be various documents pointing to that procedure. Let me know briefly what we can write, please.
2 - The situation you presented is very unusual, because a record related to a document in general refers to a specific action described in the document, and would not include the name of the type of the document. For example, for the “Backup Policy” you would have a record named “backup record” or “restoration record”
Another concern is that we don't use antivirus software, yet the IT Security Policy has a section about it. "What should we say in that section if our company doesn't use antivirus software?
3 -If you could clarify my confusion regarding the fact that the record name here in the secure development policy prepopulates the information for the record name and also shows the procedure for secure information system engineering and testing plan for security requirements and system acceptance, will we still need to create these documents on our own? How will the records be created?
This question is related to Section 4 in security development policy document