Guest user Created: Jun 24, 2022 Last commented: Jun 24, 2022

ISMS implementation

At the moment, my questions regarding ISO implementation are: · In document 2.1 it asks for requirements. It is not clear to me how to identify those requirements. Can we link them to controls from the Annex? · For the ISMS Scope: we want to certify only our location in Belgium and we were advised by certification bodies to not mention our second location in Poland at all. However, our processes happen regardless of the location and part of them happens in Poland. Can we (and how) exclude Poland from the ISMS while keeping the processes? · Given that it's the first time we implement ISO in aug.e, what are the steps we should follow regarding filling in the documents? It seems to us that we will have to go back and forth in a way that will be quite confusing. I couldn't find any relevant information in the Advisera courses.

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Jun 24, 2022

1 - In document 2.1 it asks for requirements. It is not clear to me how to identify those requirements. Can we link them to controls from the Annex?

Answer: The requirements related to the template “List of Legal Regulatory Contractual and Other Requirements” refers to needs and expectations defined in laws, regulations, and contracts the organization must fulfill (e.g., protection of privacy due to GDPR, service continuity due to a Service Level Agreement with a customer, etc.).

Such requirements, together with the results of risk assessment, provide the bases for the definition of which controls from ISO 27001 Annex A will be implemented by an organization to protect information.

For further information, see:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

2 - For the ISMS Scope: we want to certify only our location in *** and we were advised by certification bodies to not mention our second location in *** at all. However, our processes happen regardless of the location and part of them happens in ***. Can we (and how) exclude *** from the ISMS while keeping the processes?

Answer: You can define the ISMS scope only in terms of site *** and treat site *** as an external party (e.g., like a supplier).

This way you can treat information security for them by means of “service agreements”, and they would not be a direct part of the ISMS scope.

For further information, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

3 - Given that it's the first time we implement ISO in aug.e, what are the steps we should follow regarding filling in the documents? It seems to us that we will have to go back and forth in a way that will be quite confusing. I couldn't find any relevant information in the Advisera courses.

Answer: Please note that for conducting the implementation in the most efficient way you should implement the documents in the order they are displayed in the folders in the toolkit (i.e., first the Procedure for Document and Record Control, then the EU GDPR Readiness Assessment, then the Project Plan, the Procedure for Identification of Requirements, and so on).

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jun 24, 2022

Expert Advice Community