1 . We are in the beginning stages of implementing ISO 27001. We have purchased your ISO toolkit. We are working on the 02 Identification of Requirements documentation. Please help us in understanding the following for the Appendix 1 – List of Legal, Regulatory, Contractual and Other Requirements document: How detailed do we need to get when listing our requirements? Do we need to list each requirement in the ISO (Annex A), HIPAA, or other standards and determine the responsible person for each? Or, can we just reference the standard?
Answer: The details must be sufficient enough so the person responsible to ensure compliance can understand what to do.
For ISO 27001, considering that all the content of the standard is related to information security, you can refer only to the standard.
Regarding other legal requirements such as laws and contracts where only part of them refer to information security, a better approach would be to identify the specific clauses or articles. For example, for GDPR, the regulation for data protection o n EU, the requirement for ISO 27001 is Article 32, not the whole GDPR.
2. Should the interested parties be everyone that would be impacted by the requirement?
Answer: The main criteria for identification of interested parties are the ones that can influence your security, either by impacting or by being impacted by it. Their relationship with the standard's requirements are secondary.
3. For contract clauses, do we need to list the actual contract clause that we need to comply with in this document?
Answer: It is interesting to identify only the contract identification, the number of the clause, and a general summary(e.g., contract xxxx, clause 123, information backup). Besides protecting the confidentiality of the contract, if the content of related clauses change you will not have to update this list of requirements, which minimize administrative effort to manage documents.
4. If we need a detailed list, it appears that this list would be the same list that we would use for the Statement of Applicability. Is this assumption true?
Answer: Please note that the List of Requirements and Statement of Applicability (SoA) fulfill different purposes.
The List of requirements is used for identification of requirements that will affect or be affect by your security, while the SoA only uses these identified requirements to justify the applicability of some controls (in fact, the SoA is created well after the List of requirements).
So, when elaborating the SoA you normally won't be identifying requirements, and you do not need to include requirements details (you can simply refer to an item in the List of requirements).
5. Also, in looking at the toolkit, I did not see a template that we would use to document our ISMS program. Am I missing something or is it called something different?
Answer: ISO 27001 does not require an organization to document in a centralized way which policies, procedures, guidelines, and standards are used to implement the Information Security Management System (your ISMS program), and this is not a common document used by organizations implementing ISO 27001, so it is not included to minimize the administrative effort on managing the ISMS documentation.
The closest documents you can use for this purpose are the Project Plan, where you define the initial setup of your "program", and the Statement of Applicability, which refers to policies, procedures,and other documentations used to implement applicable controls.
Of course, you can use the blank template included in your toolkit to develop such document and submit it to us for evaluation, so we can point you which points may need adjustments to fulfill your needs.