1. In the section titled "Managing records kept on the basis of this document" of the SECURITY PROCEDURES FOR IT DEPARTMENT document, it is stated under Controls for record protection that "Once the record is created, the record cannot be changed." Given that the record cannot be changed, what will be the record name that we can provide? This information has not been included in the documents, so I believe they should be erased because they are not applicable. Please let me know if you have any ideas or suggestions that we might write down or if we need to prepare any additional documents for this since records cannot be modified once they have been produced.
2. "There are 12 team members total, so I believe we will initially go for 3 team members as of now. I hope that will be fine to achieve the ISO 27001 certification or will there be any blockers for that? Yesterday we discussed antivirus, and I told you that we don't have any antivirus in our company. So as per your suggestion, we will run a pilot run for 3 employees basically with the IT administrator handling all the server data so we will install it first. How would you advise in this situation?