Expert Advice Community

Guest

Register of legal, contractual and other requirements

  Quote
Guest
Guest user Created:   Jul 19, 2022 Last commented:   Jul 19, 2022

Register of legal, contractual and other requirements

1 - For Register of legal, contractual and other requirements Step: what exactly should we do in this step?

2 - For ISMS Scope: we’re not sure what to include and what to exclude! do we have to include all our 14 subsidiaries? Do we need to exclude something or some departments?

3 - For Asset inventory: do we need to identify all assets we have? Or assets we provide? Or assets we’re using/purchased?

4 - For IT Security policy: is it only 1 global policy? Or we need to add related policies like: backup policy, cloud policy, data destruction policy ...).

Assign topic to the user

ISO 27001 RISK ASSESSMENT TABLE

Implement risk register using catalogues of vulnerabilities and threats.

ISO 27001 RISK ASSESSMENT TABLE

Implement risk register using catalogues of vulnerabilities and threats.

Expert
Rhand Leal Jul 19, 2022

1 - For Register of legal, contractual and other requirements Step: what exactly should we do in this step?

In this step, you need to record all laws, regulations, standards, and contracts that put information security requirements for your company.

This step will help you identify which security controls you need to consider in your ISMS implementation.

For further information, see:

2 - For ISMS Scope: we’re not sure what to include and what to exclude! do we have to include all our 14 subsidiaries? Do we need to exclude something or some departments?

To help you define your ISMS scope, please access this free tool:

3 - For Asset inventory: do we need to identify all assets we have? Or assets we provide? Or assets we’re using/purchased?

ISO 27001 does not require to have a separate Asset inventory, so in Conformio the Risk Register is used for listing the assets.

In Conformio assets are identified as part of the information risk assessment and treatment, in the Risk Register module, so you only need to identify assets that are relevant to the information you want the ISMS to protect. You should include all assets that you control - those could be the assets you are using (e.g., your people), that you purchased (e.g., laptops), or that you provide to third parties (e.g., Software-as-a-Service).

4 - For IT Security policy: is it only 1 global policy? Or we need to add related policies like: backup policy, cloud policy, data destruction policy ...).

ISO 27001 does not prescribe the content of an IT Security policy, so you can develop it as a single document or as multiple documents covering specific areas.

In Conformio you can either use a single document for the IT Security policy or use some documents separately. You can define that after performing the risk assessment step and Conformio suggests the documents you need to develop within the Statement of Applicability step, considering the applicability of controls.

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 19, 2022

Jul 19, 2022

Suggested Topics