SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
ISO 27001/Conformio questions
1. The Risk Register flow seems to be inverted. Can you explain why vulnerability comes before the threat? We were under the impression that we would first need to evaluate the threats related to assets, and then the vulnerabilities. 2. Regarding the inventory of assets - in Conformio we have a list of general assets, like computers, but we would like to have a separate document with a list of all the assets within our company, such as which types of computers we use. Is this needed for the successful implementation? -
Risk Assessments in Conformio
1. Can assets be put in a hierarchy, so that filing cabinets can be seen as part of an office building, or firewall as part of a server? I think this would have benefits for overview and determining potentially assets affected by incidents related to other assets below or above in the hierarchy. I'm not sure whether this makes sense from a Risk Management perspective. 2. I see the same vulnerabilities for different assets, like inadequate change control for laws, regulations, etc but also for policies, procedures and work instructions. Is there a way to optimize this and to reduce the number of vulnerabilities? -
ISO 27001 / Conformio questions
1. How should we treat the risk assessment process? Should we consider all the risks within our company and go over a bit or should we be more conservative? For example, should we consider our CEO being on leave as a risk while doing the risk assessment? 2. In terms of SoA should we mark all the controls as applicable? How should we approach this? -
ISO 27001 questions - Conformio/Toolkit
I have some questions about the ISMS scope document from the toolkit. We own the servers in a data center that is owned by a third party, so what does it mean that the provider has control? Our customers purchase our service as SAAS but we on our side have suppliers who provide us the data center. These are the services we offer. The question is - does this mean that the provider who has control is the customer, us as the provider of the service or the third party service we use to rent the data center? How does this affect our risk matrix? We buy/rent our infrastructure so what asset should we include in the risk matrix? What I understand is that we should mark ourselves as number 2 in this table. Am I correct? In that case, should we include the Datacenter as an asset of our organization or not, since this is something we rent? In that case this asset should not be included, is that correct? Should we also include storage media as an asset, considering the scope of our business? When thinking about assets "Internally developed software" and "servers"- should we consider all different products we are providing and servers we are using as separate assets, or can we write just general "Servers" or "Internally developed software" and that is enough? When thinking about "Operating system" as an asset - does this refer to the operating systems we use in our organization where we are running the server or does it refer to the operating systems our customers are using when downloading and using our service? -
Annex A Controls in Conformio
1. Seems like you are informing me through Conformio that I should prepare Policies with Annex A controls to incorporate into them (as seems in Project Plan). In example Title : Incident Response Policy, we will mention the annex A controls in it. Shouldn't we just have a folder A.16 Incident Security Incident Management and files A.16.1 Responsibilities, A.16.1.2 Reporting Information Security Events, A.16.1.3 Reporting Information Security Weaknesses, A .16.1.4 Assessment of and Decision on Information Security Events, etc.? 2. Is there a Tool JUST on Risk Assessment? -
Security objectives in Conformio
If it’s not possible to do this (changing the security objectives) then we’d probably disapply all the Conformio ones and created our own document. Would that cause problems elsewhere in the system? -
ISO 27001 questions related to Conformio
Question 1: "We are a litle bit lost witht the Initial training plan as we are not sure how to structure it and what are good practice. Can you provide good practice for training when defining the Initial Training Plan? We are not sure if we need to define different suggested training for different skills. Should it be on different skills or different rules depending on the role in the company? What are good training or skills for an IT Manager or Compliance officer for example? We would also appreciate a catalog of links to training on your website that can be useful in completing the training plan?" Question 2: "We were going over the "Procedure for identification of requirements" and we ran into this part that wasn't clear:
- what document does the "Information Security Management System Policy" refer to? "
-
Conformio - Bring your own device policy
When thinking about this policy we have a company rule that only company laptops can be used for professional purposes. However, how should we treat personal mobile phones? They are not in the company network so do we include them also in the scope of the BYOD policy in Conformio? -
Context of the Organization, where is this in Conformio?
Where in Conformio are clauses 4.1, 4.2 and 4.3 addressed? We completed stage 1 a few weeks ago and the auditor listed this critical finding "Cl. 4.0 Context of the Organization is not determined" We are scheduled for stage 2 in 1 week, and need to find/create this document fast. -
Corporate using of Conformio
Thank you for the following… I’m already testing the 30 days trial Conformio platform, it look’s very interesting! I have one question related to the corporate using of Conformio, I work in a mid-size company that has 2 different business units, if I want to implement ISO 27001 for both business units in a different timeline, Do I need to purchase 2 licenses of Conformio? or just with one license Can I manage the ISO 27001 implementation for both? For example, one this year and the other in 2023? Those B.U. are not different companies, but they have different structure with different IT departments for example and different interested parties for the ISO 27001 certification accomplishment.