1 - Clause 7.4 – Communication ( how to evidence the communications plan). Where do I find this information on the system?
Answer: Communication is an activity that is performed by many processes in information security, with different purposes, so in general, for medium and small businesses there is no point in creating a centralized communication plan, because it would be to complex to use and maintain by people responsible for communication.
For small and medium-sized organizations information related to communication, communication activities are defined in documents like:
- Information Security Policy
- Incident Management Procedure
- Disaster Recovery Plan
Each of these documents specify who needs to communicate what.
Additionally, there is some communication that is performed outside of Conformio – e.g., through emails, Slack, verbal, etc.
2 - Clause 8.1 - Operational planning and control (To see the ISMS Calendar/Planner). Where do I find this information on the system?
Answer: The ISMS scheduled activities (i.e., action, responsible, and frequency) related to implementation and control of information security processes (e.g., risk assessment, monitoring and measurement of controle and security objectives, internal audit, etc.), as well as of those activities related to management of necessary documentation (e.g., policies and procedures) can be found in the Responsibility Matrix. This matrix is developed based on the activities defined in each approved document (i.e., when a document is approved the activities defined on them are included in the responsibility matrix).
3 - Clause 9.1 - Monitoring, measurement, analysis and evaluation (To see the measurement & Metrics and measurement results). Where do I find this information on the system?
Answer: You define required metrics and measurements in the “Setting up Management review” step. Achieved results can be found in the “Reporting dashboard” and in the “First Official Management Review” step.
4 - Clause 10.2 - Continual improvement (To see ISMS continual improvement log). Where do I find this information on the system?
Answer: The information about continual improvement can be found as corrective actions defined in the Nonconformity module.
5 - A.18.2.2 – Report of information security compliance monitoring from various Managers/Heads of Heads or plan of action. How do I capture or evidence this in the system?
Answer: First is important to note that the specific requirements to report compliance need to be identified through the “Register of requirements module”. This module will identify which laws, regulations and contracts you need to comply to, and by reading these requirements you will identify how to evidence compliance (e.g., by releasing a report, by performing an audit/management review, etc.)
Considering that, some examples of elements that can provide evidence of compliance are audit reports (through the Internal Audit Module), management review minutes (through Management Review Module), and the Dashboards in the Reporting Module.
6 - and Finally, How to use Conformio to test the effectiveness of the ISMS in the organization?
Answer: To find out if ISMS is effective, you need to perform two activities:
1) Internal audit - in Conformio you have a separate step for that purpose that takes you to the Internal audit module.
2) Measure if the ISMS is fulfilling the objectives - in Conformio you can find this in dashboards in the Report module.