Guest
Considering that the rules specified in the IT Security Plicy are the same as the ones n case of teleworking and that all our applicatins and SaaS is in the cloud, could we avoid to write a Telewroking Policy and state that the Teleworking is regulated by the IT Security Policy?
Thanks
Is it necessary to implement a treatment plan for all identified risks, or is it only necessary to apply a treatment plan if a medium or high-risk is detected?
I am asking this question because in my risk assessment, all the residual risks are low, and according to my policy, only medium and high risks should receive a risk treatment plan. I want to know if it's appropriate to leave low risks without a risk treatment plan or if I should create one despite all risks being low.
In the Information Classification Policy,, to be more specific in 3.4. Handling classified information what exactly you want me to write down?
I am just getting started with Conformio and I see a problem. The wizard shows a document with text stating a policy on something we do not do. I see where I can add a paragraph, but how might I go about removing the text in the wizard that is not relvant to us?
Specifically, it is the Procedure for Document and Record Control stating what we do with phyisical documents. We are fully remote, and cloud-collaborative. We do not have phyisical documents (or locations) in the ISMS scope. And knowing our auditor, if he sees text about physical documents and how we handle them, he will want evidence.
I just want to know if, in best practices, and according to ISO 22301, it is preferable, in case of need for recovery, to perform it fully automatically or require human intervention step by step.
Is there a clause in the ISO 22301 documentation that specifies or describes this fact.
is it best practice to have the CEO approving the control of documents? my worry is the CEO to become a bottle nick for the organization since he have to review any changes to the documents. please clairify.
I dont think this statement makes sense " Statement of Acceptance of Residual Risks – a document specifying unacceptable risks for which an effective treatment has not been found " and It should read like "a document specifiying acceptable risks....."
Dears,
Could you please what do you need exactly here, what are the requiremnts for the " Register of legal, contractual and other requirements " in detalis
Thank you,
Hello,
Good Morning,
could be tell me what do you guys excatly want from the Procedure for document and record control document ?
in details please + I got couple of questions too, my scope is the whole organization, " This procedure is applied to all documents and records related to the ISMS ", so in my case is it all company's documents ?
Document approval
I understood that the CEO must approve all documents and is there something else ?
3.3. Publishing and distributing documents; withdrawal from use
There are some parts conformio is mentioned there I dont thing this is a professional way for the word " confirmo " is written there, " the Conformio platform will automatically inform all employees listed as users of the document by email...."
tell me more about record control and also document of external origin what do you want from me exaclty, I could not figure it out.
Thank you in advance,
Please clarify a question for me.
Can an information system be composed of: information security management system procedures and policies, hardware, software, networks, data, documents and facilities and people?