1. I’ve got a question on perspective. As we fill out some of this documentation, specifically as we were filling out the Statement of Applicability, we were going down the first column deciding if certain annex controls were applicable to us. We found that we were going back and forth on whether a control is applicable or not based on the perspective of looking at it from an *** perspective or from the customer’s perspective.
For example, A.7.2.2 “Information security awareness, education and training”. If I look at that from an *** perspective, we’re obviously going to have that policy in place at the corporate level, but do we need one at the level of Managed Services? And is this applicable to us because we wouldn’t have any sort of information security awareness training for customers of ours, nor should they expect that for the services we’re offering. So how are we made to look at this?
2. There’s a lot of business continuity stuff listed in the templates, but Business Continuity ISO certification is not a part of our certification process from our external auditing team. So do we still need to complete all of the business continuity references if we aren’t going to be getting the certification? To be sure we more than likely have that at our corporate level, but again, this is going to be focused on one service we are offering.
3. As my colleague mentioned previously, we’ve got several lines of business at ***. Should we treat all those lines of business not directly associated with our Managed Services team as a supplier? For example, *** is our head of HR. Would he need to be listed as a “supplier” since he doesn’t work inside our *** group?
4. Risk Register – how detailed do we need to get? Is “laptops” good enough to put on one line or do we need to list out all the individual laptops we’ll be using in the process? Same for offices, etc. Is it okay to lump groups of things together or do we need to list them all individually?