Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Conformio - acceptance of residual risk in reports
My recollection is that where the residual risk was 3 or more, i.e., unacceptable, we reviewed the risk and the risk owner could decide to accept the residual risk. The fact that the risk owner accepted the risk does not seem to be recorded anywhere in the reports. Where can I find that? I can’t see where we say that a residual risk is accepted -
Statement of Applicability in Conformio
Thank you very much for this information! I tested and now it works. So the issue is indeed solved. However I have one question about this task:
I don’t seem to find the correct place to store such information. Could you please advise where such tasks should be handled? Outside Conformio? By creating some specific document? Or is there a place inside Conformio what I can’t find.
-
Conformio - Justification in SoA
In the statement of Applicability, I can see preselected controls based on the risks. I’m adding additional controls as well. There is a ‘justification’ box here. Is it mandatory to type why I’m adding these extra controls? -
Document handling in Conformio
The process around “Documents of external origin” seems a bit out of date. In practice we need to go out and find these documents on the internet, and also our organisation is 95% remote working. Documents relating to ISO 27000 are very unlikely to physically arrive to our office. We would prefer to fully rewrite this process. -
Conformio expert question about asset and access mgmt processes
How does Conformio support asset and access mgmt processes? -
Removing approved risks in Conformio
How its possible to remove some threats and vulnerabilities that we already reviewed and approved? -
Conformio questions
1. Can I treat the Project Plan as a statement of intention? If we do not meet the deadlines we have set in the Project Plan, would this be a problem during certification? 2. At the end of each document in the wizard, there is a set review cycle of 6 months or 12 months depending on the document. Why is this set in such a way and could I change it? -
Conformio - setting up people and departments
I am starting on the list of requirements. As far as contracts are concerned, I understand that we specify the clause(s) of the contracts and what they require. So, that seems fine so far. What detail is required As far as legislation is concerned I’m not sure how specific we get. For example, in relation to the UK GDPR/Data Protection Act 2018 do we just specify “Article 5(1)(f) of the UK GDPR - Integrity and Confidentiality (the security principle)”. You have a helpful list of legislation that may possibly affect ISO 27001. Do you have a more detailed analysis showing which parts of those acts etc are specifically relevant to ISO 27001. For example, I believe that the Human Rights Act and the Freedom of Information Act only applies to public authorities. There are quite a lot of acts etc that I have heard for but don’t know in detail e.g. the Electronic Communications Act 2000. Do I have to work through all of these to see if they apply to us? That looks like a long job! Valid from and deadline dates What are these dates aimed at? -
Scope in Conformio
Thank you for offering assistance. We have started gathering interested parties and requirements.
We are struggling with the scope of this list.
For example, ISO9001 covers the “local community” as an interested party…. But I presume this is not applicable here because they have no interest in our ISMS and our ability to prevent a breach. If it is limited to people who have an interest in our ISMS and our ability to prevent a breach then it would be easier.
Our client may have concerns about our ability to keep the documentation and passwords that we possess on our systems safe from a breach.
But services we provide to them to keep them/their systems and data safe from a breach are not in scope I believe…? But we need to clarify that.
Any guidance you can offer would be greatly appreciated.