Question related to Antivirus

1. In the section titled "Managing records kept on the basis of this document" of the SECURITY PROCEDURES FOR IT DEPARTMENT document, it is stated under Controls for record protection that "Once the record is created, the record cannot be changed." Given that the record cannot be changed, what will be the record name that we can provide? This information has not been included in the documents, so I believe they should be erased because they are not applicable. Please let me know if you have any ideas or suggestions that we might write down or if we need to prepare any additional documents for this since records cannot be modified once they have been produced.

For the change record name you can use the name of the current documentation you use to handle changes. In case you are implementing this record for the first time, you can use any name you want.

The information about change record name is not included because ISO 27001 does prescribe it, and organizations normally already have their own named records (e.g., change plan, change order, change ticket, etc.)

2. "There are 12 team members total, so I believe we will initially go for 3 team members as of now. I hope that will be fine to achieve the ISO 27001 certification or will there be any blockers for that? Yesterday we discussed antivirus, and I told you that we don't have any antivirus in our company. So as per your suggestion, we will run a pilot run for 3 employees basically with the IT administrator handling all the server data so we will install it first. How would you advise in this situation?

In the Risk Treatment Plan, you can specify that you will start implementing a control gradually - as you suggested only for 3 employees initially, and afterward for the rest of the company.