Tag: "Product: Conformio" - Expert Advice Community

Training Register

I can deduce that Conformio provides a register to record all training requirements for individual employees or employee groups (the Trainee name need not be a person). The date is just the date when the new training is created. After the training is created, I just need to update its status as it progress until it is “Performed”. The PDF report will just show all the training records created with various statuses, which is not very helpful. 

I thought that ISO 27001 requires that we have an annual training plan for the company and Conformio is not doing it for us? Please advise.

Supplier questionnaire

Hi, I need help to produce the following for suppliers that we work with, I need to confirm the correct questions to send out, risk scoring and a policy. Below are questions for supplier regarding their security posture.

• Confirm which of the following do you have in place: Firewall? IDS or IPS? Secure configuration? Anti-virus/Malware Protection? EDR/MDR/XDR? Patch Managements? Access Control? Multi-Factor Authentication? Email spam filtering? Network behaviour Monitoring?
• Do you know what devices connect to your network and who has access?
• Do you follow any security frameworks?
• Do you have cyber essentials?
• Do you do conduct vulnerability and penetration testing?
• Do you have backups? • Do you have security and acceptable use policy?
• Do you have information and security policies in place?
• Do you have access control policies in place? • Do you conduct cyber security awareness training?
• Do you have a disaster recovery plan? • Do you have an incident response plan?
• Do you have anything in place with your supply chain to combat a cyber-attack?

• Conformio documentation

  Clause 7.4 – Communication ( how to evidence the communications plan).  Where do I find this information on the system?
  Clause 8.1 - Operational planning and control (To see the ISMS Calendar/Planner). Where do I find this information on the system?
  Clause 9.1 - Monitoring, measurement, analysis and evaluation (To see the measurement & Metrics and measurement results).  Where do I find this information on the system?
  Clause 10.2 - Continual improvement (To see ISMS continual improvement log).   Where do I find this information on the system?
  A.18.2.2 – Report of information security compliance monitoring from various Managers/Heads of Heads or plan of action. How do I capture or evidence this in the system?

  and Finally, How to use Conformio to test the effectiveness of the ISMS in the organization?

• CRM Document Management

  As it is a small company it would be beneficial to complete most document management within the CRM to enable embedding security in all aspects of service delivery.  What is the likely view of auditors of such an approach? This would of course be reflected in the Records Management document.

• Custom Control Creation

  Having operating system software and databases that are at the end-of-support life cycle is a serious and ever-present vulnerability in any IT operation. I do not find this vulnerability in Conformio. I then tried to create this vulnerability, but I could not find a suitable Control from the list that is presented for selection. Conformio does not allow me to create a new control. Software and Database maintenance updates would be an appropriate control. This also applies to the vulnerability of using software that is not current. Please advise how I should proceed to create this new vulnerability.

• ISO 27001 certification

  My company was certified on ISO 27001 in 2019 and re-certified in Oct 2022. I am now implementing Conformio to help me in the on-going maintenance of the ISMS for future audits. I have just completed setting up the risk register and risk evaluation. Based on the controls that we have put in place over the years, all the risks are at acceptable level. Our company business have been around for 30 years and we have a stable operating environment. Conformio shows a Warning message that there should be at least 10% Unacceptable Risk items to complete the Risk Register Step and to pass the certification.

  a) Is it necessary for me to artificially amend the risk evaluation to achieve the 10% Unacceptable risks?

  b) Will the certification auditor not pass the certification audit if there is no risk treatment actions?

  c) What is your recommendation?

• Clarification on ISO 27001:2022 certification

  Good day. In the context of the current implementation of ISO 27001:2022, and towards certification, I ask if guidance may please provided, regarding the following: We are a company of around 60 employees. We are working towards implementing the standard throughout the company; and risk assessment has been done accordingly. We have come across a doubt, however. While our line of business includes manufacturing and also services providing, we also plan to offer a cloud-based platform, accessible to customers via access credentials, where they can access information related to the equipment/services we provide.

  1 - From the implementing/certification point of view, shall the described be considered globally, all included in the implementation/certification, or rather, is it possible or advisable to separate them? I.e., consider the platform separately, with its own certification.

  2 - If they were to be separate, how would this even be managed in Conformio?

• Setting up and passing the audit

  As we have two entities, one in Site A operating under the supervision of the regulator and 2nd in Site B providing services for the Site A entity, a few things to clarify:

  1 -Is the setup, documents, actions etc. enough for both entities, or I will have to prepare two different setups?

  2 -Also do we have to pass an audit to certify both entities or only the regulated body is enough?

• Residual Risk Question

  The risk assessment and treatment plan output document includes only the risk rating before the measures to mitigate risks. The auditor would like to see the measures taken to mitigate risk and the residual risk level in the output document. This information is available in the software but not in the pdf created by Conformio.
  Could you please add this information to the pdf document?

• Procedure for document and record control

  We are actually working on the document ’PROCEDURE FOR DOCUMENT AND RECORD CONTROL’

  For ***, I am guessing whether it can be Conformio Platform or not.

  Each external document that is necessary for the planning and operation of the ISMS must be recorded in the *** or in the *** according to their form. The *** and the *** must contain the following information: sender, document name, and date of receipt.

  The person who receives such external documents in paper or other physical forms (e.g., through regular mail or as courier parcels) must make a record in the ***. The person who receives external documents in electronic form (e.g., through email) must record them in the ***.

  Question : I would like to know if we can use Conformio instead of CRM ( which makes no sense in the case)