ISO 27001 questions related to Conformio

1 - We are a little bit lost with the Initial training plan as we are not sure how to structure it and what are good practice. Can you provide good practice for training when defining the Initial Training Plan?

Answer: The easiest way for defining the Initial Training Plan, you should consider insert the trainings specific to steps/policies that are relevant employees to master, and then that training is automatically added to the Training step.

For example, for the risk register step this is how it looks like:

In each of the steps a user can define specific trainings and assignees, those are then automatically added to the Training module. In case you want to update the training status or define new trainings, you can do this inside the Training module itself. 

2 - We are not sure if we need to define different suggested training for different skills. Should it be on different skills or different rules depending on the role in the company? 

Answer: Please note that there is no single answer to this question because you have different publics with different objectives:
- top management needs to make decisions over issues that many times are not so clear for them, and they do not need deep knowledge about technicalities of security issues (they will be more concerned about how it impacts the business). In these cases, your presentation should be focused on decisions they need to make on each policy
- technical personnel with operational responsibilities for security needs deep knowledge over technologies, methodologies, and process, so your presentation should be focused on the procedures and rules they need to follow
- overall personnel needs a basic understanding of security, to properly identify, report, and react to risky situations. In these cases, your presentation should be focused on examples and how to proceed according to the policies

3 - What are good training or skills for an IT Manager or Compliance officer for example? 

Answer: Examples for an IT Manager would be integration of information security in IT strategy or evaluation of security of solutions providers. As for Compliance Officer, trainings related to laws and regulations impacting information security (e.g., on EU GDPR, or US HIPAA).

4 - We would also appreciate a catalog of links to training on your website that can be useful in completing the training plan?"

Answer: These articles will also help you regarding awareness and training:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/

This material will also help you regarding awareness and training:
- Free Security Awareness Training: https://advisera.com/training/awareness-session/security-awareness-training/ - this is a series of 25 videos that cover various topics related to security.

5 - "We were going over the "Procedure for identification of requirements" and we ran into this part that wasn't clear: - what document does the "Information Security Management System Policy" refer to? "

Answer: First of all, sorry for this confusion.

The “Information Security Management System Policy” is the same “Information Security Policy” used in Conformio.