as you might know, we are already ISO 17100 and ISO 9001 certified. And we will have the audit for these two ISOs on the 9th and 10th of November.
Now I want to change the documentation we had for IT security to ISO 27001 documents we got from you so that we avoid duplications and unnecessary work. For the ISo 9001 & ISo 17100 we already had the description of our workstations, servers, password management and software (Bitwarden), antivurs/firewall policies and software (Bitdefender endpoint security), etc. But now I want our IT to put everything into documents that we can use for the ISo 27001.
1. Should we start with the risks and then explain our ations and measures to reduce the risk. For example, weak passwords -> strikt Password policy, bitwarden, etc.OR: Do we say what we have and what is it for?
2. In your documentation we don't find any inventories of hardware and software. Isn't that necessary?
3. Do you normally recommend creating a flowchart for the server and backup systems, or do you explain everything in an Excel?
4. Our team (12 people) is working in home office and we work with many freelancers. So we think we should limit the scope of our ISO 27001 to specific service and not to the whole company. What do you think?