I think I got a decent understanding on how to work on how the standard works from the videos, so I went ahead and started the implementation with the help of the documentation toolkit.
I have a few questions you may be able to help me with:
We are a small startup and have very little internal bureaucracy, let alone a document template pre-designed for that purpose, so in that sense we can be very flexible as to how we want the ISO 27001 documents to look like. I thought I'd keep everything in electronic format and rely on the word processor's features for things such as authorship, version control, signature and approval of documents, etc. That means that many of the elements present in the templates from the toolkit (the change history table, table of contents, page numbers, etc.) are redundant since they are already available as document metadata outside of the page. I understand these fields would be useful if we were to ever keep a printed copy of the document, but I don't think that is going to be the case. So my question is, should we nevertheless adhere to the format provided in the templates as a best practice or is any format adequate as long as it is consistent with the specifications from the "Procedure for Document and Record Control" document?
Similarly, the use of job titles seems excessive for a company our size, where a single employee is usually the only one responsible for writing the document, approving it and monitoring compliance. We do not have upper management levels nor board of directors. In that sense, to what extent should we rely on the use of role names such as Information Security Manager, as opposed to a more generic IT Manager? Should these job descriptions be reflected somewhere else, such as in the employment contract?
While working on some of the documents I noticed that the assessment of things such as requirements and stakeholders can be rather subjective. Is there any possibility of a certification body raising concerns owing to a disagreement on how this assessment was performed? In other words, how can we judge whether these documents contain enough and accurate information for the certification to be successful?
The documentation toolkit is sold with the premise of it containing all the information we need to become certified, but it refers to the standard itself at various explanatory notes throughout. E.g.: Requirements relevant for ISMS implementation are those established by the standard itself (all statements that contain the word “shall” are requirements). Would you advise purchasing the standard as complementary information to the toolkit?
Thank you in advance.