ISO 27001 implementation steps

I have started off by creating the following documents and sent them out to our CEO for approval:
Procedure for Document and Record Control
ISMS Project Plan
Once I have received approval on these 2 documents, what is the recommended next step(s)?

Answer:

After getting support for your project (through approval of the ISMS project plan) and approval of the Procedure for Document and Record Control, you should consider these steps:
1) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
2) development of risk assessment and treatment methodology;
3) perform risk assessment and define the risk treatment plan;
4) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
5) people training and awareness;
6) controls operation;
7) performance monitorin g and measurement;
8) perform internal audit;
9) perform management critical review; and
10) address nonconformities, corrective actions and opportunities for improvement.

This article will provide you further explanation about ISMS implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

1- In regards to the scope;
Does this involve listing the services we offer as a company? We offer both Web Based services as well as traditional printing services, do both of these need to be included?

Answer: The main point to identify which information you need to get from your clients is to identify which information they want to protect. If they want to protect customer information, then you have to list the offered services which handle that information (e.g., if the information they want to protect is handled only by the traditional printing service, then only this service must be included in the ISMS scope).

These articles will provide you further explanation about scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

2 - In regards to Interested Parties;
Does this involve mentioning our clients/customers only or do we need to include our suppliers too?
Ap ologies for the multiple questions but this is the first time I have undertaken this process.

Answer: There is no need for apologies. We are here to provide this kind of support in your journey to implement ISO 27001.

Regarding your question, you have to include as interested parties those which can affect or be affected by your ISMS. For example, employees and suppliers can affect the ISMS with their actions, while regulators and customers can be affected by how the ISMS protects information. All these must be considered as interested parties if they interact with the information the ISMS is intended to protect.

These articles will provide you further explanation about interested parties:
- How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

>1 - We use the Microsoft Azure Public cloud heavily to provide Web Services to clients. One of my executives is asking if we can just include this platform in the scope and have the IT department that ‘interfaces’ with it as an ‘interested party’, therefore reducing the amount of work involved. Only the IT Department interfaces with this platform.

In summary, are we able to only include a ‘platform’ or does the scope have to include an organisational unit.

Answer: You can include cloud environments in your ISMS scope without problems, and the extension you have to include them in your ISMS scope will depend of the type of service you have:
- If you have an Infrastructure as a Service (IaaS) agreement, then software and data should be in the ISMS scope, while physical location and hardware are completely out.
- If you have an Platform as a Service (PaaS) agreement, then data and all application software should be included in the ISMS scope, while everything else is out, including all system software.
- If you have an Software as a Service (SaaS) agreement, then only th e data should be in the ISMS scope.

Regarding who will interface with the cloud provider, you can define the IT department without problem also.

This article will provide you further explanation about ISMS scope and cloud environments:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/

>2 - Also, once I have ironed out the requirements of the scope for the meeting, how do I go about recording it efficiently? Am I best using a spreadsheet of some kind?

Answer: To document your ISMS scope, I suggest you to take a look at the free demo of our ISMS Scope Document at this link: https://advisera.com/27001academy/documentation/isms-scope-document/

This document can help clearly define the boundaries of the ISMS fulfilling the requirements of ISO 27001 standard.