Documentation content

• updates of patches and other system settings are performed [specify how this is technically implemented, or make reference to a document defining the process]
• protection against malicious code is installed and updated [specify how this is technically implemented, or make reference to a document defining this process]

Answer: These lines only need to be implemented if there are unacceptable risks that can be treated by them, or if there are legal requirements, or top management decisions demanding their implementation. If none of these occurs, you do not need to implement these lines, and they can be excluded from the policy.

2. Risk for not having information system requirements (A.14.1.1) defined: Threat would be unauthorized access to the information system, Vulnerability: no defined information system requirements. Right?

Answer: In this case, no defined in formation system requirements is too generic. Here you may use "lack of access control rules", or "use of weak passwords".

3. Asset name: Model name or do we have to choose a name for each asset? p.s. It might be important to know that we're using the same models of a specific asset (e.g. laptops, servers, ...)

Answer: ISO 27001 does not prescribe detail levels for asset description, so you can use asset names that you consider sufficient to fulfill your needs.

4. A.14.1.2 and A.14.1.3 It says [Job title] must describe security controls, but is this obligatory or is the text that you have in your template and the implementation of these controls enough?

Answer: I'm assuming you are referring to the Secure development policy, section 3.5. Considering that, if controls A.14.1.2 and A.14.1.3 are applicable, then you have to describe the controls, because this description will be used as guidance for the implementation (i.e, without this description there is no way to know how to implement the controls).

5. Regarding the question that I've asked the previous time. So let us say laptop A is the asset used by owner A, laptop B is the asset used by owner B and both these laptops have the same risks, does this mean I can only define it for owner A? or do I have to write both owner A and owner B in the Asset Owner tab?

Answer: In the case of an asset where each single unit have a different owner, you can use an expression like "the asset user" to define its owner. This way it is clear that the person using the asset is responsible for its protection.

6. Information Classification Policy: Do we have to add the confidentiality level on top of each document that we're using or do we have to start doing that after being certified?

Answer: If the labeling of information is as an applicable control, you have to add the confidentiality level on each document before the certification audit.

7. Is it obligatory to test backup copies ourselves? We are a webhosting company which has a lot of customers and it's nearly impossible for us to do this all on our own.
However the software which is being used by us is testing the backups, is that okay?

Answer: ISO 27001 does not prescribe who must test backup copies, only that they are tested, so you can define another party to perform the test. Considering that this may be a third-party (e.g., a contractor or a provider), you must ensure security clauses about this test are included on the agreement you have with them.

8. Access Control Policy: Control A.9.2.5 is applicable. Does this mean we have to put all the servers, networks, laptops, facilities, etc... in this table? The servers are like more than 100 in total.
Also, regarding the records of A.9.2.5: How are these records supposed to look like? Which tabs does it have?

Answer: Please note that the information required is "Name of system / network / service / physical area", so you do not have to list the servers, but you have to consider all servers that are part of the systems listed in the table. For example, you may have the system ABC which is based on three servers (e.g., application server, database server, and web server), so you have to check special rights on all these servers.

Regarding required records, ISO 27001 does not prescribe a format, but you can consider as information it has to contain the defined special rights, which special rights are currently implemented, and the date when the review was performed.