ISO 27001 implementation

1. I’ve got a question on perspective. As we fill out some of this documentation, specifically as we were filling out the Statement of Applicability, we were going down the first column deciding if certain annex controls were applicable to us. We found that we were going back and forth on whether a control is applicable or not based on the perspective of looking at it from an *** perspective or from the customer’s perspective.
For example, A.7.2.2 “Information security awareness, education and training”. If I look at that from an *** perspective, we’re obviously going to have that policy in place at the corporate level, but do we need one at the level of Managed Services? And is this applicable to us because we wouldn’t have any sort of information security awareness training for customers of ours, nor should they expect that for the services we’re offering. So how are we made to look at this?

First is important to note that the extent of application of control will depend on your scope of the ISMS.

Considering that, in case your customers are included in the ISMS scope, then control A.7.2.2 will be applicable both to your employees and to your customers. In general, what happens is that only customer's information is included in the scope, not customer's personnel, then control A.7.2.2 is applicable only to the organization's employees.

For further information, see:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/

2. There’s a lot of business continuity stuff listed in the templates, but Business Continuity ISO certification is not a part of our certification process from our external auditing team. So do we still need to complete all of the business continuity references if we aren’t going to be getting the certification? To be sure we more than likely have that at our corporate level, but again, this is going to be focused on one service we are offering.

If you are going only for ISO 27001 certification, to cover requirements from A.17 controls from Annex A, you only need the Disaster Recovery Plan, located in folder 08 Annex A >> A.17 Business Continuity >> 04 Business Continuity Plan

3.  As my colleague mentioned previously, we’ve got several lines of business at ***. Should we treat all those lines of business not directly associated with our Managed Services team as a supplier? For example, *** is our head of HR. Would he need to be listed as a “supplier” since he doesn’t work inside our *** group?

Lines of business that are not included in the ISMS scope but have relations with it can be considered as suppliers if they provide resources for the ISMS scope.

The above-mentioned article about defining the ISMS scope can provide additional information.

4. Risk Register – how detailed do we need to get? Is “laptops” good enough to put on one line or do we need to list out all the individual laptops we’ll be using in the process? Same for offices, etc. Is it okay to lump groups of things together or do we need to list them all individually?

ISO 27001 does not prescribe the detailed level of the risk register, so organizations can adopt the level that better suits them.

Regarding assets, you can use a single item like "laptops" to refer to all laptops in your organization in the risk assessment process, but please note that, if you have a situation where different groups of laptops need to be treated differently, you can adopt multiple items, like "development laptops", "management laptops", etc.

For further information, see:

• How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

By the way, included in the toolkit you bought you have access to a video tutorial that can guide you in filling out the risk assessment table. I recommend you to see the available video tutorial before writing documents because they present examples with real data may clarify your doubts.