The Audit and Evidence module is a feature of Conformio aimed at bringing you all the necessary information without needing to go into specific documents, policies, or modules.
Information Displayed
In the Audit and Evidence, you have all the information needed on one page:
- Resources to learn more about compliance and ISO 27001;
- Statistics about completed documents, steps, and clauses;
- Access to all of your documents;
- An overview of the clauses and controls in ISO 27001.
To navigate the Audit and Evidence module even quicker, you can use the search box by typing:
- Keyword in the title;
- Owner of the document;
- Status of the document;
- Relevant clauses.
Viewing Documents
Viewing Documents shows you:
- Which documents are mandatory (by standard and what you marked as needed in the Statement of Applicability) or optional;
- Which documents are completed, approved, in progress, or not yet set;
- When was the last time the documents were changed;
- Who is the owner of the document;
- Relevant clauses for the document.
To find information even quicker, you can filter displayed data in the Documents view by clicking the Filters button.
Managing Documents
By clicking on the 3 dots in line with a document, you can see a direct navigation menu that gives you the ability to:
- See the details of the document;
- Go to its step in the “Implementation steps;”
- Download the latest version of the document.
By clicking See details, a sidebar will open with additional information about the document. The information available in the sidebar is:
- Title of the document;
- Status of the document;
- Last change and its owner;
- Explanation of the document;
- Relevant clauses;
- Go to step of the document;
- Download the document.
Viewing Clauses and Evidence
Viewing Clauses and Evidence gives you an overview of the following:
- The status of clauses and controls;
- The evidence required for these clauses and controls;
- The action (arrow) button to open additional details about the clauses and controls.
Managing Clauses and Evidence
By clicking on the arrow in line with a clause or control, the sidebar opens with additional information. The information available in the sidebar is:
- Title of the clause or control;
- Status of the clause or control;
- Explanation of the clause or control;
- Implementation methods list;
- Adding notes and links;
- Uploading files for evidence collection;
- List of modules that can be shown as evidence.
To find information quicker, you can filter displayed data in the Clauses and Evidence view by clicking the Filters button.
Uploading Evidence
To upload evidence, follow these steps:
- Click the Choose File button under the Evidence of implementation;
- Select and upload files from an opened window.
Note: You can directly delete uploaded evidence from here.
Uploaded evidence can also be accessed in the Document Explorer in the Compliance evidence folder.
Frequently Asked Questions:
1. How often do the stats in Audit & Evidence update?
The stats you can see on the top, regarding step completion, documents, and controls are updated immediately as the status of the control changes.
2. How to properly collect evidence?
To properly collect evidence of compliance, you can use various methods such as reviewing documents and records, making personal observations, and conducting interviews with employees. It is important to document the evidence collected for each clause in ISO 27001, applicable controls in the Statement of Applicability, and requirements in the company’s security policies and procedures.
3. What does it mean if a clause or control is not ready for audit?
If a clause or control is not ready for audit, it means you are missing something regarding its compliance. The Audit & Evidence module helps you with this, by listing all the requirements needed to change the status from “Not ready for audit” to “Ready for audit” under implementation methods and implementation evidence.
4. Can Conformio guarantee a passing certification if we have completed the Audit & Evidence Module and everything is ready for audit?
The certification audit consists of two stages: Stage 1 audit (also called “Document review”) and Stage 2 audit (also called the “Main audit”):
- In the Stage 1 audit, the certification auditor will read all of your ISMS documents and assess whether they are compliant with the standard. The auditor will also learn about the specific security rules in your company and use that knowledge in the Stage 2 audit.
- In the Stage 2 audit, the auditor will check if the activities in your company are compliant with the standard and with your own security documentation.
Examples:
- During the Stage 1 audit, the auditor will read the Backup policy and check if it is compliant with ISO 27001 control 8.13 Information backup, if it was approved by the authorized person, and if it was distributed to all employees who need to perform the backup.
- During the Stage 2 audit, the auditor will ask the system administrator to show him the logs of the backup system to see if the backup frequency is compliant with the Backup policy.
None of Conformio clients have problems with the Stage 1 audit, since we can guarantee that our documents are OK. However, Stage 2 depends on whether your own employees are compliant with those documents – Conformio cannot guarantee employees’ behavior.