Tag: "register of requirements" - Expert Advice Community

Home / register of requirements

Discussions

Top Contributors

Expert

Rhand Leal

4140
Discussions
Expert

Carlos Pereira da Cruz

1916
Discussions
Expert

Dejan Kosutic

366
Discussions

Most Popular Tags

Product: Conformio Product: ISO 27001 Documentation Toolkit Product: ISO 13485 & MDR Integrated Documentation Toolkit ISO 27001 ISO 9001 Product: ISO 27001 & ISO 22301 Premium Documentation Toolkit Risk Assessment Product: ISO 13485 Documentation Toolkit ISMS register of requirements Internal Audit Product: ISO 27001/Risk Assessment Table Product: ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit Certification ISO 14001
Category:
Select
CREATE NEW TOPIC +
Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Select

Assign topic to the user

  • Register of requirements: Granularity of entries

    Regarding the Conformio Register of requirements: I don't understand how granular the entries should be (recommended or required by the ISO27001:2022 standard). We have a lot of contracts with different customers but the contracts themselves have the same content. Should we create a new entry for every customer contract or would it be sufficient to create a general entry for all contracts with the same content? Or should we even create a new entry for every requirement of each contract of every customer?

  • Register of Requirements — how detailed should it get?

    Hi, I'm using Confirmio to build out our ISMS and I'm on the Register of Requirements step. I'm trying to get a sense of the downstream impacts of being too detailed (or not detailed enough) here, and whether or not to be aspirational (i.e. list things we're not compliant with yet) or leave them out. Some examples: - A single contract could provide dozens of clauses that each map to a different area within cybersecurity (e.g. privacy, data breach reporting, operational security, secure software design, service level agreements, etc). Do I break down the contract terms into chunks? Or do I add just the contract as a single record? - There are some government policies in place that apply to our customers but not directly to us. It obliges them to implement contractual terms and controls on us, and in some cases they haven't yet this done. So in a strict sense we're not on the hook for these yet, but I'd like to plan to become compliant over time anyway. Do I add them and check non-compliant? So my questions are really two-fold: First, what is the downstream impact of adding these items? Is it more onerous to then complete the ISMS set-up with more items here? Is simpler better? What do auditors expect? And second, what is the impact on having items in this register in a "non-compliant" status as it applies to certification? Does everything need to be green within these registers before we can be certified, or is a working system with non-compliance being tracked of greater interest to an auditor? I'm interested to hear what's worked for others in the real world who've achieved compliance. We're only a small team. Thanks in advance!