Take the ISO 14001 course exam and get the ISO 9001 course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Tag: "register of requirements" - Expert Advice Community

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Register of Requirements — how detailed should it get?

    Hi, I'm using Confirmio to build out our ISMS and I'm on the Register of Requirements step.

    I'm trying to get a sense of the downstream impacts of being too detailed (or not detailed enough) here, and whether or not to be aspirational (i.e. list things we're not compliant with yet) or leave them out.

    Some examples:

    - A single contract could provide dozens of clauses that each map to a different area within cybersecurity (e.g. privacy, data breach reporting, operational security, secure software design, service level agreements, etc). Do I break down the contract terms into chunks? Or do I add just the contract as a single record? 

    - There are some government policies in place that apply to our customers but not directly to us. It obliges them to implement contractual terms and controls on us, and in some cases they haven't yet this done. So in a strict sense we're not on the hook for these yet, but I'd like to plan to become compliant over time anyway. Do I add them and check non-compliant?

    So my questions are really two-fold:

    First, what is the downstream impact of adding these items? Is it more onerous to then complete the ISMS set-up with more items here? Is simpler better? What do auditors expect?

    And second, what is the impact on having items in this register in a "non-compliant" status as it applies to certification? Does everything need to be green within these registers before we can be certified, or is a working system with non-compliance being tracked of greater interest to an auditor? 

    I'm interested to hear what's worked for others in the real world who've achieved compliance. We're only a small team.

    Thanks in advance!

  • Customers and Register of Requirements

    In the example for this section, "XYZ bank" is identified by name as a customer in the register. We are a SaaS provider with over 1,000 companies using our product to service their clients. We certainly do not need to list each and everyone since our service/product is the same for all. How would we identify our clients then?