Tag: "register of requirements" - Expert Advice Community

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Register of requirements: Granularity of entries

    Regarding the Conformio Register of requirements: I don't understand how granular the entries should be (recommended or required by the ISO27001:2022 standard). We have a lot of contracts with different customers but the contracts themselves have the same content. Should we create a new entry for every customer contract or would it be sufficient to create a general entry for all contracts with the same content? Or should we even create a new entry for every requirement of each contract of every customer?

  • Register of Requirements — how detailed should it get?

    Hi, I'm using Confirmio to build out our ISMS and I'm on the Register of Requirements step. I'm trying to get a sense of the downstream impacts of being too detailed (or not detailed enough) here, and whether or not to be aspirational (i.e. list things we're not compliant with yet) or leave them out. Some examples: - A single contract could provide dozens of clauses that each map to a different area within cybersecurity (e.g. privacy, data breach reporting, operational security, secure software design, service level agreements, etc). Do I break down the contract terms into chunks? Or do I add just the contract as a single record? - There are some government policies in place that apply to our customers but not directly to us. It obliges them to implement contractual terms and controls on us, and in some cases they haven't yet this done. So in a strict sense we're not on the hook for these yet, but I'd like to plan to become compliant over time anyway. Do I add them and check non-compliant? So my questions are really two-fold: First, what is the downstream impact of adding these items? Is it more onerous to then complete the ISMS set-up with more items here? Is simpler better? What do auditors expect? And second, what is the impact on having items in this register in a "non-compliant" status as it applies to certification? Does everything need to be green within these registers before we can be certified, or is a working system with non-compliance being tracked of greater interest to an auditor? I'm interested to hear what's worked for others in the real world who've achieved compliance. We're only a small team. Thanks in advance!