We ordered your ISO27001 toolkit to prepare ourselves to XYZ audit.
Our company XYZ is XYZ employee company developing and licensing own software as SaaS. Dev ops infrastructure is hosted internally but all SaaS services are provisioned from AWS cloud. Employees in our company are divided into two groups sales/marketing and developer. Developers have several roles because they are developing software, administering the production system and to some extent provide customer support. Most of the admin processes (finance and payroll) are outsourced. Typical arrangements in companies that are about our size.
- I am struggling with 10.1 Risk assessment table level of details listing. Does the standard defines details assets or more importantly what is required in an audit. The catalog examples in the toolkit varies to very detailed to more general ones. For example can one asset be development operations system or do we need to break it down more in details like (eclipse as IDE, Git for version control, Jenkins for continues integration, Jira as task management, etc.). Similar question is our SaaS service can I describe it as one asset even though it has several technical components inside.
- Second question I have related to the separation of duties because we simply do not have enough development people to make strict roles between people because same people do make development and deploy version in production. Of course, there is well defined process to test and accept release candidate to be put in production.