Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Corporate using of Conformio
Thank you for the following… I’m already testing the 30 days trial Conformio platform, it look’s very interesting! I have one question related to the corporate using of Conformio, I work in a mid-size company that has 2 different business units, if I want to implement ISO 27001 for both business units in a different timeline, Do I need to purchase 2 licenses of Conformio? or just with one license Can I manage the ISO 27001 implementation for both? For example, one this year and the other in 2023? Those B.U. are not different companies, but they have different structure with different IT departments for example and different interested parties for the ISO 27001 certification accomplishment. -
Conformio - acceptance of residual risk in reports
My recollection is that where the residual risk was 3 or more, i.e., unacceptable, we reviewed the risk and the risk owner could decide to accept the residual risk. The fact that the risk owner accepted the risk does not seem to be recorded anywhere in the reports. Where can I find that? I can’t see where we say that a residual risk is accepted -
Statement of Applicability in Conformio
Thank you very much for this information! I tested and now it works. So the issue is indeed solved. However I have one question about this task:
I don’t seem to find the correct place to store such information. Could you please advise where such tasks should be handled? Outside Conformio? By creating some specific document? Or is there a place inside Conformio what I can’t find.
-
Conformio - Justification in SoA
In the statement of Applicability, I can see preselected controls based on the risks. I’m adding additional controls as well. There is a ‘justification’ box here. Is it mandatory to type why I’m adding these extra controls? -
Document handling in Conformio
The process around “Documents of external origin” seems a bit out of date. In practice we need to go out and find these documents on the internet, and also our organisation is 95% remote working. Documents relating to ISO 27000 are very unlikely to physically arrive to our office. We would prefer to fully rewrite this process. -
Conformio expert question about asset and access mgmt processes
How does Conformio support asset and access mgmt processes? -
Removing approved risks in Conformio
How its possible to remove some threats and vulnerabilities that we already reviewed and approved? -
Conformio questions
1. Can I treat the Project Plan as a statement of intention? If we do not meet the deadlines we have set in the Project Plan, would this be a problem during certification? 2. At the end of each document in the wizard, there is a set review cycle of 6 months or 12 months depending on the document. Why is this set in such a way and could I change it? -
Conformio - setting up people and departments
I am starting on the list of requirements. As far as contracts are concerned, I understand that we specify the clause(s) of the contracts and what they require. So, that seems fine so far. What detail is required As far as legislation is concerned I’m not sure how specific we get. For example, in relation to the UK GDPR/Data Protection Act 2018 do we just specify “Article 5(1)(f) of the UK GDPR - Integrity and Confidentiality (the security principle)”. You have a helpful list of legislation that may possibly affect ISO 27001. Do you have a more detailed analysis showing which parts of those acts etc are specifically relevant to ISO 27001. For example, I believe that the Human Rights Act and the Freedom of Information Act only applies to public authorities. There are quite a lot of acts etc that I have heard for but don’t know in detail e.g. the Electronic Communications Act 2000. Do I have to work through all of these to see if they apply to us? That looks like a long job! Valid from and deadline dates What are these dates aimed at?