Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
Risk Register question
On the other hand, and still in reference to the Risk Register, we question if it is reasonable to consider the 'vulnerability' weak password in the Asset-Human Resources (top management, employees, etc.), rather than in the more obvious Asset-IT and communication equipment (desktop computers, mobile devices, etc.)? This, in the sense that our people set their passwords, are expected to comply with the password construction guidelines/Password Policy; and at the end, it can be through their following of the rules that this can be assessed. We are not certain if this approach makes sense, is viable. -
Conformio question
I have a question - should I and can I write specific assets in Conformio i.e. in case of asset "Operating systems" do we use Operating systems or do we write Windows operating system and make this more specific? -
Conformio expert questions
1. In the Project Plan document under section 3.4.3. the document is referencing a project team, however later on the title of the table is "Participants in the project". There is an inconsistency in the understanding of who are the members of the project team as there can be more participants in the project than the team members, especially if it is a larger company. Can you please clarify this section for me in this document? 2. We are a very small company and we do not have Head of IT department, but only the Senior IT technician and two IT support guys. In Conformio I can only define one IT support job title for one of the guys, but I cannot give the same job title to the second IT support person even though both of them have the same job title in our company. Can you explain why this is so? 3. We want to declare all printed documents as unreliable and therefore uncontrolled, but we were not able to find a way to do that in the Procedure for document and record control. Can you advise how we can add this statement in this document or where we can add this statement? -
Risk Register Team work question
I have one more question, I am preparing a review of mandatory documents for our ISO certification and I am using Advisera checklist to make sure we comply.
I have noticed that the checklist is slightly different to the steps I'm working on in Conformio. Would you please be so kind and let me know, where can I find documents marked in red in the screenshot below? Thank you in advance!
Documents I can prepare in Conformio:
Documents listed as mandatory, red dots highlight the ones I am unsure where to find them.
-
Conformio expert question
1. How to handle legal and contractual requirements and what clauses require this in the standard? 2. Is it required that the person who is doing the Audit needs to have training in Internal Auditing and ISO 27001? -
ISO 27001 / Conformio questions
1. Can I as the Project Manager of the ISO 27001 also conduct the Internal Audit? Or should this be done by someone who is not as involved in the project implementation? 2. When should the first Management review be conducted? At the end when we have all of the documents, or while we are implementing the policies and procedures? I am asking this because there are some items that have first occurrence set as one month after the start of the project so now I am afraid that I was supposed to do this from the beginning. -
Questions about ISO 27001 controls in Conformio
1. We have a question about this Time synchronization control - the control in Conformio says to use accurate time clocks and synchronize them automatically. We have a system in place to synchronize clocks and our laptops that the emloyees use are also synchronized via google services. We would like to understand if we should write a policy about this and what can we expect during the audit? Will the auditor ask to see how we do this for all clocks and laptops or will he ask for a random one? Would this also be applicable to tablets? This is the task I am referring to
(control A12.4.4)
2. We have similar questions around the task "Make sure all computers use anti-malware" related to control A 12.2.1 - what would the auditor check in relation to this and do we need a written policy on how we handle this in our organization?
3. Also, the standard uses the word elements to be considered and they give 10 recommendations? Are these recommendations or do we need do everything that is listed?
-
Question about Conformio project results
Why are the mandatory documents reflected here https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision not mentioned in Conformio project results? If Conformio project results are not mandatory, why do we need it? -
Conformio Questions
*In the Procedure for Document and Record Control under #5- Managing records kept on the basis of this document: in the table under "Record Name", what goes there? We will be storing any external records pertaining to our ISMS in a folder on Confluence. What about the "Storage Location" - does that need to be a link or just "Confluence Folder" noted? -
Conformio risk register
I have a few questions regarding Conformio (trial). 1. First, a question about risk management methodology (the process) could you elaborate the logic behind that, is it different than in your toolkits (RA and RT) tables? Because, I haven’t used the vulnerability - threat approach, I am confused that you must choose applicable control to vulnerability and then again to threat? Or, are these applicable controls, controls which are already implemented safeguards in our environment? and we have to consider them when we do risk evaluation (the next step, these controls are already included in the risk level)? 2. Can you adjust controls also (make your own), or are there ISO A-attachments related controls only? 3. I can’t seem to adjust residual risk manually (after I have added controls appropriate to treat the risk), why is that?