Get 4 FREE months of Conformio to implement ISO 27001

Expert Advice Community

Guest

Question for assignment

  Quote
Guest
Guest user Created:   Apr 07, 2023 Last commented:   Apr 07, 2023

Question for assignment

1 - For instance, in documents like SECURITY PROCEDURES FOR IT DEPARTMENT and IT SECURITY POLICY, record names, storage locations, etc. must be specified. So my concern is, how will it be if we are progressing with IT Security policy and have to write the same document name in the record name? According to my understanding, if we define a record name, there would be various documents pointing to that procedure. Let me know briefly what we can write, please.

2 - The situation you presented is very unusual, because a record related to a document in general refers to a specific action described in the document, and would not include the name of the type of the document. For example, for the “Backup Policy” you would have a record named “backup record” or “restoration record”

Another concern is that we don't use antivirus software, yet the IT Security Policy has a section about it. "What should we say in that section if our company doesn't use antivirus software?

3 -If you could clarify my confusion regarding the fact that the record name here in the secure development policy prepopulates the information for the record name and also shows the procedure for secure information system engineering and testing plan for security requirements and system acceptance, will we still need to create these documents on our own? How will the records be created?

This question is related to Section 4 in security development policy document

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 07, 2023

1 - For instance, in documents like SECURITY PROCEDURES FOR IT DEPARTMENT and IT SECURITY POLICY, record names, storage locations, etc. must be specified. So my concern is, how will it be if we are progressing with IT Security policy and have to write the same document name in the record name? According to my understanding, if we define a record name, there would be various documents pointing to that procedure. Let me know briefly what we can write, please.

Please note that even if the document and record have the same name, for Conformio they are different items (one is type “policy/procedure”, and the other is type “record”), so Conformio will know how to handle them and will make the pointing the right way.

2 - The situation you presented is very unusual, because a record related to a document in general refers to a specific action described in the document, and would not include the name of the type of the document. For example, for the “Backup Policy” you would have a record named “backup record” or “restoration record”

Another concern is that we don't use antivirus software, yet the IT Security Policy has a section about it. "What should we say in that section if our company doesn't use antivirus software?

Please note that this section related to antivirus software will appear in the IT Security Policy only in case you have a relevant risk treated by control A.8.7 Protection against malware.

So, you need to review your Statement of Applicability to see if control A.8.7 is stated as applicable and reassess any related risks so they do not require to be treated by this control anymore.

3 -If you could clarify my confusion regarding the fact that the record name here in the secure development policy prepopulates the information for the record name and also shows the procedure for secure information system engineering and testing plan for security requirements and system acceptance, will we still need to create these documents on our own? How will the records be created?

This question is related to Section 4 in security development policy document

Your understanding is correct. You will need to create the documents (the record name in Conformio only identifies what they exist in your environment and what they are called).

These documents need to be created manually by the user. Since such information is very specific for each organization, it is unfeasible to provide a template that can fit the organization's needs.

In case you are having difficulties in developing such documents, you can schedule a meeting with one of our experts, and he will help you develop them.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 07, 2023

Apr 07, 2023

Suggested Topics