1. We have the initial audit with external agencies to get the accreditation, and an agenda for the one-day assessment on November 21st has been sent to us. Please find the attached image which details the ISMS Document review. However, we are missing documents for Compliance, Operational Security, Communication, Development Security, Incident Processes, and Business Continuity Management. Could you please confirm if there are drafts available or advise on how to proceed, as I'm unable to locate them in the Conformio tool? Your guidance on this matter would be greatly appreciated.
2. Additionally, for ISMS Implementation, there is a requirement for Design, Development & Test, and Facility and Asset Management. I have checked the documents, as well as the Conformio tool, but I couldn't find any drafts pertaining to these areas. Can you please advise on this?
I have a question about which assets to select in the risk register, for instance, in the IT and communication equipment category. We certify Company A, which is a subsidiary of Company B. The equipment Company A uses (server rooms, servers, desktop computers, notebooks, and small stuff) belongs to the Company B and Company A rents it. The alarm system and key cards are also provided by the Company B for the subsidiaries. Do we only select assets that are owned by Company A, or all assets that are used by Company A?
At our last surveillance audit our assessor raised a non-conformity on the basis that our initial risk assessment, showing many of the risks as being acceptable i.e. scoring less than 3, did not show any justification for why we made that assessment and Conformio doesn’t require that. Our assessment would have been based on the controls etc already in place at that time.
Obviously, you are of the view that when making the initial assessment, it’s not necessary for us to record why we make that assessment. What is the reasoning behind this?
I'm in the process of creating the Register of Legal, Contractual, and Other Requirements.
Q: how specific do I need to be? Is this where I list all our clients, suppliers, etc etc or do I give more top-line information and detail the specific interested parties later on?
I wanted to clarify that all the policy documents we've prepared specify a requirement for a 6-month review. However, the specific controls we discussed are not mentioned in the documents. My question is whether, according to the policy, we need to review the controls every 6 months or if we have the flexibility to define the update frequency for the controls ourselves, separate from the document reviews. Please refer to the attached image for more details.
As we have two entities, one in Site A operating under the supervision of the regulator and 2nd in Site B providing services for the Site A entity, a few things to clarify:
In addition to that, the situation now is slightly changed as we have another regulated entity in Site C and I need this to be added in the answer. I need clarification on how to action as we have now in total 3 companies under Company:
Company A - the Site B company that is providing services for the rest of the companies
Company B - the Site A-regulated company
Company C - the Site C-regulated company
We just have a question regarding the documents and then we are happy to upgrade.
I generated Information Security Policy using the document wizard, but it was missing the following information:
Is there something we missed during the document wizard or anyway to generate the complete document?
Since we need to provide these policies to our customers and want to pass ISO 27001, that would be great to know how to generate the complete document.
In the Conformio implementation step "Procedure for document and record control" the document Purpose states "This procedure is applied to all documents and records related to the ISMS", how can I change that?
However the Requirements sections reads "You may choose whether these rules apply only to information security policies, procedures, plans and records, or to the documentation for your whole company."
How do I change the document to reflect that?
In the case of a group of three companies (A, B, C), company A is to be certified. All three companies have their own, independent customers and suppliers. The servers and network components of all three companies are located in the data center of company A. How must the SCOPE of company A be described if the servers and network components of companies B and C are NOT to be part of the certification?
My name is the only available user for the steps in Conformio. What other users/roles would you recommend that I add? (Or does that actually come later in the process? The guide says I should not skip any steps, but at the same time I feel I need some new roles and users in the system)