Expert Advice Community

Guest

How to record external issues (not legal or contractual) in Conformio

  Quote
Guest
Guest user Created:   Jun 01, 2022 Last commented:   Jun 01, 2022

How to record external issues (not legal or contractual) in Conformio

In the Conformio ‘Register of requirements’ it is possible to add requirements of types ‘Contractual Agreement’ or ‘Legal/regulatory requirement’, but not any other external/internal issues as stated in ISO 27001. Our organization for example has an office in Ukraine and we would like to add an availability requirement regarding the people and company infrastructure there. How should we record that requirement in Conformio?

Assign topic to the user

ISO 27001 PROCEDURE FOR IDENTIFICATION OF REQUIREMENTS

Basics of identification of interested parties and their requirements.

ISO 27001 PROCEDURE FOR IDENTIFICATION OF REQUIREMENTS

Basics of identification of interested parties and their requirements.

Expert
Rhand Leal Jun 01, 2022

First it is important to note that the Register of Requirements module is intended only for listing regulatory and contractual requirements, i.e., laws, regulations, and agreements. Further, ISO 27001 does not require internal or external issues to be documented.

Considering that, in case the requirement refers to an external/internal issue, it does not need to be documented, and you can record it in the SoA as a management decision for each related control (e.g., “control applicable due to management decision to ensure availability requirements”).

In case the requirement needs to be documented, because it refers to laws, regulations or contracts, then you can record it in the ‘Register of requirements’ module.

When the requirement refers to parts of the organization which are outside of the scope, you can define it within the Register of Requirements as a requirement of the third party since this part of the organization is not within the ISMS scope.

Please note that ‘Contractual Agreement’ can vary from fully formal agreements that can be legally enforced, to lesser formal agreements established internally through memos or emails.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 01, 2022

Jun 01, 2022