Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Mapping of requirements categories to ISO 27001 Human Resource controls (Conformio)
We have a customer that requires that *** employees are submitted to background checks, etc. This correlates to ISO 27001 Clause 7, Human Resource Security. However, there does not really seem to be a matching category in the “To what area is this requirement related?” dropdown list. Is this an omission? Or, to what dropdown item should we map this requirement so that it shows up in the appropriate area of the SoA? -
More questions on Additions to Conformio
Can you perhaps enlighten me as to how to segregate departments in the Audit Process. I have a client that has 11 departments each with their own set of Risks, and they would like to know if they need to read through the entire Risk Treatment plan so as to identify Risks that are applicable to their specific Business unit. -
ISO 27001 question
We got feedback from the auditor that we need to have the document code included in all documents. Is this mandatory based on the standard? -
ISO 27001 external audit for rest of employees
As part of ISO 27001 external audit and apart from the security awareness training, we would like to inquiry on topics the auditor will be interviewing the rest of *** employees (the ones who are not currently set up to be members of the ISMS in Conformio). Currently, we are a bit concerned about what questions the auditor might be asking employees and some directions from you would be much useful. -
Standard Forms
Where in Conformio can I find templates? I am looking for a template to address the requirements in 27002 12.1.2. -
Conformio - Managing Records kept on the basis of any document
Hello All, We notice that there is no way for us to fully editing the Controls for record protection under managing records kept of any document generated in Conformio. Currently, it only shows and limits to a specific personal and we need to remove that. Please find example below:
The following word only cannot be removed and as you can also notice, it limits to a specific personal rather than a group of personnel which is what we aim for really.
-
Questions about Conformio
1 - Of the items listed as mandatory for 27001, do they all have to be in place at stage 1 or is it okay to have a select listing completed and others WIP? 2 - Also, could you give me an indication of the costs involved with Conformio please? Does Conformio only cover 27001 or does it cover other standards as well? I am currently responsible for the compliance and regulatory affairs of 2 companies whom I have taken through ISO13485, and I manage and maintain both their QMS arrangements, audits, NC’s, suppliers etc. 3 - I am currently seeking to add 27001 certification for both and have a project team in place to identify where the existing QMS requires additional items to be ready for 27001 – currently doing risk threat analysis and controls id to enable completion Statement of Applicability – I will be using the same compliance company as we do for 13485 and have provisionally booked stage 1 for September – additionally, one business creates non-medical digital assets in addition to medical devices, so am seeking 9001 there also. Pretty full on as you can imagine. BSI are constantly mailing me pushing their Compliance navigator tool, but I think we are too small (70 people between both) and would use too little to justify the costs they’re quoting – is Conformio a similar tool? 4 - Also, would you have or have knowledge of anywhere that I might be able to find a regulatory roadmap for medical devices across different regions? ( Seems to be a bit of a minefield and each country seems to have regulations relating to clinical risk management etc in place which must be met in addition to MDR etc). Sorry for early morning brain dump -hopefully makes sense. -
How to record external issues (not legal or contractual) in Conformio
In the Conformio ‘Register of requirements’ it is possible to add requirements of types ‘Contractual Agreement’ or ‘Legal/regulatory requirement’, but not any other external/internal issues as stated in ISO 27001. Our organization for example has an office in Ukraine and we would like to add an availability requirement regarding the people and company infrastructure there. How should we record that requirement in Conformio? -
Approving Residual Risk in Conformio
Can you please advise if we should click the "Approve Residual Risk" during the final(Approval) phase of filling up the Risk Register module, even if all the identified "Risk Treatment Controls" items are not yet in place or implemented? -
Risk Register question
On the other hand, and still in reference to the Risk Register, we question if it is reasonable to consider the 'vulnerability' weak password in the Asset-Human Resources (top management, employees, etc.), rather than in the more obvious Asset-IT and communication equipment (desktop computers, mobile devices, etc.)? This, in the sense that our people set their passwords, are expected to comply with the password construction guidelines/Password Policy; and at the end, it can be through their following of the rules that this can be assessed. We are not certain if this approach makes sense, is viable.