Questions about implementation

1 - What documents should we be including under the ISMS? Should the scope mainly include policies and procedures or should we be including all client/supplier contracts, day to day project documents eg. cost estimates / statement of works etc.

The documents to be included in your ISMS will depend on your defined scope, i.e., the processes or locations where the information you want to protect flows.

For example, if your ISMS scope covers only a software development and maintenance process, then the source codes, customer specifications, and policies and procedures related to that process should be included in the ISMS.

In case all your organization is included in the ISMS scope, then all information you mentioned should be included.

For further information, see:

• All you need to know about setting the ISO 27001 scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/

2 - Double check internal annual audit - does this need to happen every year? if so, when does this happen e.g., every year from certification? (in our case, we're looking to be certified Sept 2023, so Sept 2024 would be the next internal audit). Is there any leniency on it being 12 months versus 18 months for example?

An internal audit needs to be performed before each planned audit scheduled by your certification body (i.e., the certification and surveillance audits), so you need to consider the certification body’s audit schedule to check when to perform the audits. In general, certification bodies define a one-year cycle for their surveillance audits, so in this situation, you need to perform at least one internal audit per year.

Regarding when to perform the internal audits prior to the certification’s body audits, there is no prescribed prior period to perform an internal audit, so organizations can perform them according to their needs, provided the internal audits are performed before a scheduled certification/surveillance audit.

Since the internal audit is a mandatory requirement, not performing an internal audit before a scheduled certification body’s audit would be a major non-conformity, which can compromise your certification.

For further information, see:

• ISO 27001 internal audit: The complete guide https://advisera.com/27001academy/knowledgebase/how-to-make-an-internal-audit-checklist-for-iso-27001-iso-22301/

This material can also help you:

• ISO 27001 Internal Auditor Course https://advisera.com/training/iso-27001-internal-auditor-course/

3 - Remote working policy - this is more general advice, but do we need to add how we manage people working abroad, as they need to be able to work from wherever they can on business which can sometimes mean in a coffee shop or workspace, which we advise against when working in London for security reasons. What do others usually suggest here?

Please note that common practices are already covered in the Mobile Device, Teleworking and Work from Home Policy, such as:

• Access control
• Backup
• Storage of device when not in use

This template is located in folder 09 – Annex A Security Controls.

For additional practices to be considered, you need to check the results of risk assessment and applicable legal requirements (e.g., laws, regulations, and contracts).

4 - Again, this is more seeking advice, but should client infrastructure be covered under our ISMS scope? We currently are excluding them as we feel we would be covered under their own security policies but just wanted to double check that's accurate/ what the standard is?

Answer: You should consider in your ISMS scope only the infrastructure you can control, so you should leave the client infrastructure out of your ISMS scope.