Maintaining and improving the ISMS starts as soon as the ISMS becomes operational and can be divided into continuous and recurring activities.
In Conformio, the Maintenance module is available under Compliance in the sidebar. Clicking on Maintenance will open the module.
1. When opening the Maintenance Module main page, the first thing you need to do is click on Update Dates so the dates for future maintenance actions are properly generated and updated.
2. When the dates are selected, you can see when your next mandatory Internal Audit is scheduled, when your next Surveillance Audit is scheduled, and when your re-certification is scheduled on the top of the module.
Below the dates, you have a dashboard separated into Recurring Activities and Continuous Activities. The dashboard also gives you the number of tasks for each activity and the date by which it should be performed to keep your ISMS effectiveness at the highest level.
3. The Recurring Activities should be performed throughout the year. You can click each activity to see more details. The schedule can be adjusted in the properties of the linked module. These activities include:
- Review of security training
- Review of documents
- Review of security objectives
- Review of risks
- Internal audit
- Management review
- Review of incidents
4. Continuous (ongoing) activities are routine operations performed regularly and ongoing to maintain the effectiveness of the ISMS. These activities include:
- Training & Awareness
- Monitoring and measuring the ISMS
- Changes to interested parties and requirements
- Demonstrating leadership
- Communicating all relevant information
- Providing resources
- Handling incidents
- Nonconformities & corrective actions
- Continual improvement
- Operating the ISMS
5. By clicking on any activity, you can see the following information about this activity:
- Link to the related main module in Conformio.
- Explanation of what this activity is, when it should be done and what the auditor will be looking for.
- Related upcoming or recently completed tasks (for recurring activities only).
Tasks are automatically created by Conformio based on the following rules:
Activity | Task name | Task trigger | Assignee | Due date |
---|---|---|---|---|
Review of documents | Check and, if necessary, update the [name of document] |
Document is approved | Document owner | [date of trigger] + [frequency in doc wizard properties] |
Review of incidents | Perform periodic review of incidents recurring |
When both of the following main steps are completed (100%): “Incident Management Procedure” and “First Management Review.” | Incidents Register owner | [date of trigger] + [frequency in module properties] |
Review of security training | Periodic review of security trainings |
When the following step is completed (100%): “Initial training plan.” | Training module owner | [date of trigger] + [frequency in module properties] |
Review of security objectives | Perform periodic review of security objectives |
When the following step is completed (100%): “Setting up security objectives” | Security objectives module owner | [date of trigger] + [frequency in module properties] |
Review of security objectives | Any tasks for providing the measurement for a specific approved (top-level or operational) security objective. For example: Input result for the operational security objective [Name of the security Objective] |
When objectives are confirmed (a separate task for each accepted objective). | Security objective’s “Responsible person.” | [First due date for measurement] + [How often to measure] |
Review of risks | Perform periodic review of risks |
When the following step is completed (100%): “Risk Register” | Risk register owner | [date of trigger] + [frequency in module properties] |
Internal audit | In preparation of your next surveillance (or re-certification) audit, you should perform an internal audit. You can schedule it in the Internal Audit module. |
When the “Next internal audit date” is updated in the Maintenance module. | Internal audit module owner | [Next internal audit date] – [1 month] |
Internal audit | Complete the internal audit ISO 27001 internal audit - [name of audit] |
When a new internal audit is scheduled in the Internal Audit module. | Assignee of the specific audit | [Start date] of specific audit |
Management review | In preparation of your next surveillance (or re-certification) audit, you should perform a management review it in the Management Review module. |
When the “Next surveillance audit” date AND/OR “Next re-certification” date are updated in the Maintenance module. | Management review module owner | [Next surveillance audit] – [1 month] AND/OR [Next re-certification] – [1 month] |
Note that, for completed tasks, only those completed in the last 12 months are shown here. You can see all completed tasks in the Responsibility Matrix module.
6. Throughout the Maintenance module page, additional information is provided in the tooltips. By hovering over the icon with your cursor, the tooltip explanation will show.
Frequently Asked Questions:
1. What if I put in the wrong date for the initial certification?
Any date can be manually updated at any time by clicking the “Update dates” link under the “Certification achieved” date in the top left corner.
2. Do I have to do all the actions required?
To keep your ISMS as effective as possible – yes. Please do all the actions required and on time.
3. I can see that some activities have tasks, but others do not – why is that?
Recurring activities have tasks because they have to be registered as completed. Continuous activities do not have tasks because it is assumed that they are completed on an ongoing basis.