Hello Dejan,
as you might know, we are already ISO 17100 and ISO 9001 certified. And we will have the audit for these two ISOs on the 9th and 10th of November.
Now I want to change the documentation we had for IT security to ISO 27001 documents we got from you so that we avoid duplications and unnecessary work. For the ISo 9001 & ISo 17100 we already had the description of our workstations, servers, password management and software (Bitwarden), antivurs/firewall policies and software (Bitdefender endpoint security), etc. But now I want our IT to put everything into documents that we can use for the ISo 27001.
1. Should we start with the risks and then explain our ations and measures to reduce the risk. For example, weak passwords -> strikt Password policy, bitwarden, etc.OR: Do we say what we have and what is it for?
2. In your documentation we don't find any inventories of hardware and software. Isn't that necessary?
3. Do you normally recommend creating a flowchart for the server and backup systems, or do you explain everything in an Excel?
4. Our team (12 people) is working in home office and we work with many freelancers. So we think we should limit the scope of our ISO 27001 to specific service and not to the whole company. What do you think?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. Should we start with the risks and then explain our actions and measures to reduce the risk. For example, weak passwords -> strikt Password policy, xxxxx, etc.OR: Do we say what we have and what is it for?
Answer: I'm assuming you are trying to turn your current IT documentation compliant with ISO 27001.
Considering that, your first assumption is correct, the risk assessment will provide you with main input on what you need to include in your documentation.
2. In your documentation we don't find any inventories of hardware and software. Isn't that necessary?
Answer: ISO 27001 does not require an inventory to be developed, but most companies develop one, or use an already existing one, as a good practice. In you toolkit there is an Inventory of assets template in the folder 08 Annex A Security Controls >> 8 Asset Management
For further information, see:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
3. Do you normally recommend creating a flowchart for the server and backup systems, or do you explain everything in an Excel?
Answer: First is important to note that both approaches are acceptable for certification purposes, but for the sake to minimize the use of different approaches and tools, we recommend using an Excel table.
4. Our team (12 people) is working in home office and we work with many freelancers. So we think we should limit the scope of our ISO 27001 to specific service and not to the whole company. What do you think?
Answer: You can limit the scope of your ISO 27001 ISMS to a specific service, and to your employees (because the company can control them by means of employment agreements and similar legal documents), but your physical home offices should be out of scope (because the company cannot control them).
Regarding point 4. It is possible to limit the scope to a specific service and employees but exclude home offices? So, while they are working from home we can't audit for the ISO 27001? Or do you mean that only the scope has to be limited?
Comment as guest or Sign in
Oct 21, 2020