ISO 27001 templates content

Answer: If you choose the option "accept risk", you should document such risks in section 4 of our Statement of Applicability template (in section 3 you list all applicable and non-applicable controls).

2. Regarding chapter A.14: A webhosting company which doesn't develop software at all might be applicable to some of the controls in chapter A.14 if they are buying a 3rd party CRM, the previous time that I've asked you, you have responded the following to me: "mainly those related tor definition of security requirements and system acceptance.", which other controls besides A.14.1.1 are we talking about in case of buying a 3rd party CRM system?

Answer: Another controls to be considered are 14.2.3 Technical review of applications a fter operating platform changes, and 14.2.9 System acceptance testing.

3. If an asset isn't used by anyone, do I still have to add it in the 'Inventory of assets' ?

Answer: If an inventory of assets is applicable to your context, you only have to include assets that are involved with the information you want to protect. So, if an asset isn't used by anyone, there is no need to include it in the inventory.

4. Security Procedures for IT Department 6.5.1 Describe the technology used for erasing data from media in the equipment: We don't have any specific tool for the removal of data. Let us say a customer wants to end his services at our company then all we have to do is press the "Delete client" button on the tool(s) that we use for the administration (both facturation and webhosting). Is this okay or do we really need a tool which we are specifically using for the removal of data?

Answer: If this "Delete client" functionality can ensure the data cannot be recovered by any means, then you can use it to fulfill the requirement from section 6.5.1 from the Security Procedures for IT .