How to record external issues (not legal or contractual) in Conformio
Assign topic to the user
First it is important to note that the Register of Requirements module is intended only for listing regulatory and contractual requirements, i.e., laws, regulations, and agreements. Further, ISO 27001 does not require internal or external issues to be documented.
Considering that, in case the requirement refers to an external/internal issue, it does not need to be documented, and you can record it in the SoA as a management decision for each related control (e.g., “control applicable due to management decision to ensure availability requirements”).
In case the requirement needs to be documented, because it refers to laws, regulations or contracts, then you can record it in the ‘Register of requirements’ module.
When the requirement refers to parts of the organization which are outside of the scope, you can define it within the Register of Requirements as a requirement of the third party since this part of the organization is not within the ISMS scope.
Please note that ‘Contractual Agreement’ can vary from fully formal agreements that can be legally enforced, to lesser formal agreements established internally through memos or emails.
Comment as guest or Sign in
Jun 01, 2022