ISO 27001 project

Answer: The answer to this question depends fundamentally of the type of your business and the needs and expectations of you interested parties. For example, a research and development company will have different critical information assets than a bank. In this case I suggest you first identify which requirements your information security management system needs to fulfil, because those requirements will tell you which are the most critical assets you should focus on.

See this article for more information: How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

2 - Is it true that: the more controls in the Statement of Applicability are applicable, the easier it is to get certified? Or are just all mandatory controls enough? (I know it depends on the risk assessment table, but still)

Answer: The truth is just the oppo site, the less controls you need, the easier is to get certified, because you will have less work to do implementing and managing them. And there is no such thing as "mandatory controls" required by the standard. Documents from Annex A are mandatory only if there are risks which would require their implementation, and this decision is up to the organization. Basically, the justifications in a Statement of Applicability for implementing controls refers to (1) risks, (2) requirements of interested parties and (3) other logic considered by your organization.

See more information about Statement of Applicability here: The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

3 - Any other parts of the project we should put extra focus on?

Answer: Definitely awareness and training should be on your list, because if people in the organization do not adopt the information security culture, you can have the best procedures and technical controls and still the organization's information won't be safe.

This article will provide you further explanation about awareness and training:
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

These materials will also help you regarding implementation of ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/