Queries related to old client

I’m assuming you want to know how to handle old customers considering ISO 27001 certification and policies and procedures not implemented yet.

Considering that, first is important to note that you need to follow all ISO 27001 implementation Steps: https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

According to these steps, you need first to evaluate if these old customers have requirements (i.e., needs and expectations defined in contracts or agreements you have with them) that can impact or be impacted by the information you want to protect with your Information Security Management System (ISMS).

In case such requirements exist, then you need to consider them in your implementation, by identifying information security risks related to these requirements and, for those risks deemed as relevant, develop and/or adjust policies and procedures accordingly.

For example, if these customers have requirements for which compromise of availability of information protected by the ISMS can impact them, then you need to identify relevant related risks and develop or update a backup policy.

In case there are no relevant requirements, these customers do not need to be considered in the ISMS.

For further information, see:

• How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
• 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/