Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Necessity to include specific user
Hi, as an IT Security Engineer I am the "Project Manager" for our company (as a role in Conformio). We have a senior project manager at our company as a consultant for ISO27001. He is sporadically consulted on our documents due to his experience in ISO certification. Do we need to include him in our Conformio and documentation or not with regard to the ISO27001 standard or not?
-
Certification process of sister company
The majority of our finance, HR and other major departments are managed by our parent company, but our sister company wants to become ISO 27001 certified. How do we manage the certification process? Please note that we will require access to the HR and finance departments, for instance. Additionally, we are headquartered in site A and have a branch in site B, but we wish to obtain certification only for site A. How are we going to treat our employees in site B and under which category should we put this?
-
Add Further Reference Documents
Hi firstly, thank you for creating a great product. We have a few further reference documents that we would like to include as part of the ISMS. These are related to our regulatory requirements, we should include the Australian Governments Information Security Manual (ISM) and Right Fit for Risk (RFFR). Can I please confirm the best way to add these two key documents?
-
Requirements for MSP Company Regarding Supplier Security Policy
What requirements are there for an "MSP* - managed service provider" type of a company regarding Supplier Security Policy and Security Clauses for Suppliers and Partners? I am curious about the data exchange, as the only data exchanged was in the data servers and we are not sure if there is anything necessary for us to do in that regard.
* managed service provider (MSP) is a third-party company that remotely manages a customer's information technology (IT) infrastructure and end-user systems.
-
ISMS Roles and Organisation within Conformio
I’m trying to set up the ISMS organization roles for the ISO27001. Are there any guidelines about the necessary roles? Or some examples of how ISMS organization should look like and map to the Conformio roles?
-
Justification and control objectives
I am currently running back through the statement of applicability, and was wondering what is expected of us when it comes to the audit for the justification and control objectives column. I don't necessarily have legal or contractual reasons for justifying some controls, but they still apply. For example, we are fully remote so teleworking applies. Am I allowed to fill the justification in for this with the reason being that we operate on a remote structure?
-
Incidents
Below are the reasons why numerous incidents need to be removed:
- We created just for testing.
- We recently changed our incident management procedure in a way that incidents which are already put-in are not really relevant.
Since currently incidents from the Incident Register cannot be removed, What are we supposed to be doing now with respect to external auditing? We are quite concerned that numerous incidents contradict the incident procedure and can be marked as non-conformity which will cause a failure. ( Client wants to remove incidents under the incident register in Conformio, but for now, we do not have the possibility to delete)
-
Audit point
The auditor has indicated that there are a number of 2021 policies where we cannot demonstrate per date stamping in Conformio that the policies are valid/current in 2022. we don't want to change anything in the policies (e.g., information security policy), but how can we demonstrate that an older policy is still valid in 2022 given it is date stamped 2021.
-
Conformio and Annex A controls
I have a client who signed a contract with a big company some time ago and this client was part of a big *** advertising group and benefited from all the resources of the group, but now he has become independent and has to implement the requirements defined in the contract in order to comply with the contract he signed before. Therefore, he asked me to implement the requirements of the contract as a priority. Here are the security policies and article that I need to put in place first. I don't know if they can be handled separately or should I follow the step by step procedure. Let me know if you need more information. Policies to be put in place : Data backup policy Business Continuity Planning Policy External parties policy Data classification policy Security patch management policy Cryptographic standard Access Control Policy Remote Access Control Policy Physical and Environmental Security Policy Security and Privacy Incident Response Policy Articles: A.12.2.1, A.15.1.1, A.15.1.2, A.16.1.1, A.16.1.2, A.16.1.3, A.16.1.5, A.17.1.1, A.17.1.2, A.17.1.3, A.18.2.1, A.7.1.2, A.7.2.1, A.7.2.2, A.7.2.3 -
Mapping of requirements on controls
Here’s another question about the mapping of requirements on controls. We have a customer requirements that relates to regular reporting on the effectiveness of the ISMS. I think it would be appropriate to map these on controls A.18.2.*. From the mapping document this does not seem to be the possible. There is no corresponding ‘Compliance’ are that can be selected. Actually, A.18.* controls are absent from the mapping altogether, as is the case for A.7 Human resources controls. Should a compliance area not be selectable in the requirements register and should A.18.* not be mapped as a result of mapping onto this area? Or any other area?