Filling templates

Answer: Besides the reference to the ISO 27001 standard and to the implementation project plan (if such document exists) that is already included, you have to include reference to any laws, regulations or contracts that have clauses that can impact on your ISMS (e.g., confidentiality clauses on service level agreements with customers, data protection clauses on laws you are enforced to follow, etc.). For this list you can reference the List of Legal, Regulatory, Contractual and Other Requirements template, that is included in your toolkit on folder 02 Procedure for Identification of Requirements, and include the references to all documents there.

There is no need to include reference to any other document from the toolkit.

2. We have an offshore wholly owned subsidiary in India which operates as a separate legal entity, can we include that in the scope?

Answer: Subsidiaries legally bounded to the main organization can be included in the ISMS scope, but you should evaluate if the effort to maintain two organizations operating on different countries in a single scope is not greater than adopting two separated scopes.

3. During the first audit, the auditor mentioned we needed a 'small scope' that would be printed on the ISO Certificate, which part of the scope is he referring to?

Answer: The auditor is referring to a summary from subsections 3.1 to 3.5 of the ISMS Scope Document (processes and services, organizational units, locations, networks and IT infrastructure and the exclusions of the scope). An example may be:

"The ISMS scope comprises of software development process, performed by our software development department on premises located on address xyz, and the customer support process, performed by our customer relationship department on premises located on address abc."