Tag: "Product: Conformio" - Expert Advice Community

Home / Product: Conformio

Discussions

Top Contributors

Expert

Rhand Leal

4151
Discussions
Expert

Carlos Pereira da Cruz

1915
Discussions
Expert

Dejan Kosutic

365
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 ISO 9001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Product: ISO 27001/Risk Assessment Table ISO 14001 Product: ISO 27001 Internal Auditor Course
Category:
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Mapping of requirements on controls

    Here’s another question about the mapping of requirements on controls. We have a customer requirements that relates to regular reporting on the effectiveness of the ISMS. I think it would be appropriate to map these on controls A.18.2.*. From the mapping document this does not seem to be the possible. There is no corresponding ‘Compliance’ are that can be selected. Actually, A.18.* controls are absent from the mapping altogether, as is the case for A.7 Human resources controls. Should a compliance area not be selectable in the requirements register and should A.18.* not be mapped as a result of mapping onto this area? Or any other area?

  • Register of legal, contractual and other requirements

    1 - For Register of legal, contractual and other requirements Step: what exactly should we do in this step?

    2 - For ISMS Scope: we’re not sure what to include and what to exclude! do we have to include all our 14 subsidiaries? Do we need to exclude something or some departments?

    3 - For Asset inventory: do we need to identify all assets we have? Or assets we provide? Or assets we’re using/purchased?

    4 - For IT Security policy: is it only 1 global policy? Or we need to add related policies like: backup policy, cloud policy, data destruction policy ...).

  • Requirements in Document Wizard

    1. Why can I select only one person to approve my documents. We have more people so I am not sure how to handle this in our organization? 2. How are the risks and requirements listed in each step addressed in each policy. Do I need to do something on my side or reference them in specific paragraphs? How do I know which paragraph in the document covers which risk or which requirement so that when I am asked how we are treating those risks or requirements, I can show them?

  • ISO 27001 Conformio questions

    1. In case we have to abide by requirements in several states because we are doing business with both, how should we handle these requirements in the context of ISO 27001 implementation? 2. In case we have defined a security objective and we fail it (i.e., our target was to decrease the number of incidents, and we see that they have risen) will this hamper my possibility of obtaining the certification. 3. How do we select a certification body?

  • Conformio - ISO 27001 Requirements

    I saw that based on the risks or tasks created when preparing the corresponding documents in the requirements section it states to include them in the doc, is that being done by manually adding the references in the editable sections or is there a different method? I have uploaded a screenshot as requested. As you can see in the requirements it states to be sure to resolve the listed risks. Should this be done by inserting some references in one of the editable portions or is it being done by the wizard in one of the steps? https://i.imgur.com/qEQfHVI.png

  • Mapping of requirements categories to ISO 27001 controls

    Hi Dejan, Thanks for your reply and I understand what you are saying in the bullet points. However, I do believe my questions are still not fully understood. 1)      There may be a requirement for some controls for the HR department. We would then choose something like ‘Human Resources Security’ from the drop down list for the Area field, right? But my point is that there is no option for Human Resources Security available from the drop down list for the Area field. So my initial question some time ago was, why is Human Resources not listed as an area? Is this an omission (a bug) or has this been left out deliberately? And if so, why is this left out when all other control categories are available from the area drop down list. 2)      I understand the reasoning behind mandatory safeguards, but my question about that was where do these requirements show up in the SoA? Or do they need to be added to the SoA manually? I do believe that the combination of allowing the selection of an area together with the ability to specify individual controls would be taking the best of both worlds. I have made this suggestion to Aleksandra as art of request 63693. I still would very much appreciate to have a few hours of detailed training in the use of Conformio (like explaining the function of every field), as there are still areas that are unclear to me, that are not documented and that are costing me a lot of time getting them answered by sending emails to support and even going back-and-forth quite a few times, like about this issue. I would appreciate if some training is available in the short term.

  • Is Conformio for us?

    *** has several offices around the globe and has a total of around 1000 employees. If all offices will be within our scope, can we still use Conformio to get our objective?

  • Where do requirements in the area of 'Specifying mandatory safeguards' go?

    When I add a requirement and add it to the area of 'Specifying mandatory safeguards', I do not see it appear in the Statement of Applicability or Risk Treatment Plan. So where do these requirements appear in the later workflow and how do we keep track of implementation, etc.

  • Unable to edit the project plan

    If we implemented a project plan some time back,  lets say we want to tweak a new plan that is forward looking  - is that possible ? 

    The project wording in conformio that is unchangeable  seems to suggest that after an initial implementation project there is no ability to record or manage other discrete projects using the conformio wizard..  
    An example project item might be to enhance our monitoring capability

    Is it the case, that instead  of a future  project plan/s as such , the way forward for all mini projects  is to capture all tasks as part of corrective actions etc ?   i.e. the conformio project planning module is purely for initial implementation ? i.e not to cover post implementation exercises ? 

    Look forward to your response, so I can advise business senior management and the auditor accordingly

  • Conformio Risk Register

    I noticed that the risk register within Confirmio is built with asset-focused method of doing risk assessment (as per version 27001:2005). However, with version of 27001:2013, the risk assessment method is using information-focused (6.1.2.c.1).

    My question is do you have a risk register module that follows information-focused approach?
Page 6 of 12 pages