SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Use promo code:
SPRING30

Tag: "Product: Conformio" - Expert Advice Community

Home / Product: Conformio

Discussions

Top Contributors

Expert

Rhand Leal

4148
Discussions
Expert

Carlos Pereira da Cruz

1916
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 ISO 9001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Certification ISO 14001
Category:
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Register of Requirements and scope

    We like to have the development and QA departments of *** certified. But we like to include the hosting of our cloud service (which is done by our holding company) in all the documents already now. We have been advised to do so because we like to keep the scope small for the initial certification but extend it later. I'm now working at the Register of Requirements. How can I make transparent which requirements are for Dev/QA of *** and which are for the holding (in other words, what is in the certification scope and what's for later)?

  • Handling termination and change of employment

    What sections or where would the handling termination and change of employment with ISO 27001 be located? Not sure how where to find that.

  • Risk assessment in Conformio

    1- Why are confidentiality, availability, and integrity not considered in the Risk assessment? and how Conformio is addressing them.

    2- Why is there no prioritization for actions in RTP? This should be identified based on the risk levels. 
    we only see a list but it's not based on the risks identified.

  • Clause 7.4 Communication Register

    Dear Team - how can we generate a communication register for the 7.4 clause? We were asked for Communication Register.

  • Register of Requirements

    Underneath the register of requirements where I am asked if I am compliant with the Computer Misuse Act am I expected to have a policy or do I read and agree to the terms?

  • Risk Register & BYOD

    Our company develops software for the school management. We have a private office in a co-working space. We have employees but we are also working with freelancers. They are working from home all around the world. I have some questions about the assets for the risk register. My first question is about infrastructure assets: do we have to include the private office of Singapore co-working space? What about air conditioning, power supply...? Also same question about the co-working space in London. By extension, we have a BYOD policy. Do we need to include personal laptops and smartphones in the assets? We are using a virtual server from a third-parties provider (2 in Europe, and 1 in Singapore). Should we include these virtual servers in the assets? We have a website. Is it an asset? I saw in the list of assets: proprietary data. Could you give me an example of what it could be for us?

  • Question for assignment

    1 - For instance, in documents like SECURITY PROCEDURES FOR IT DEPARTMENT and IT SECURITY POLICY, record names, storage locations, etc. must be specified. So my concern is, how will it be if we are progressing with IT Security policy and have to write the same document name in the record name? According to my understanding, if we define a record name, there would be various documents pointing to that procedure. Let me know briefly what we can write, please.

    2 - The situation you presented is very unusual, because a record related to a document in general refers to a specific action described in the document, and would not include the name of the type of the document. For example, for the “Backup Policy” you would have a record named “backup record” or “restoration record”

    Another concern is that we don't use antivirus software, yet the IT Security Policy has a section about it. "What should we say in that section if our company doesn't use antivirus software?

    3 -If you could clarify my confusion regarding the fact that the record name here in the secure development policy prepopulates the information for the record name and also shows the procedure for secure information system engineering and testing plan for security requirements and system acceptance, will we still need to create these documents on our own? How will the records be created?

    This question is related to Section 4 in security development policy document

  • How to treat risk with own control?

    Can you please tell me how we can treat a risk in the risk register with an own security control (not one of the controls of Annex A)?

  • How to update policy in Conformio?

    How to track changes made to a policy that has already been approved and implemented, once tasks to update are marked as completed in Conformio, and how to provide evidence for these changes.

    Scenario:

    We must revise a particular policy every two weeks.
    In Conformio, recurring tasks will be generated.
    The user will mark  tasks as completed
    1-How can this modification be tracked in Conformio?
    2-what evidence can be presented and where?
Page 2 of 12 pages