I have some questions if that's okay! See below:
What documents should we be including under the ISMS? Should the scope mainly include policies and procedures or should we be including all client/supplier contracts, day to day project documents eg. cost estimates / statement of works etc.
Double check internal annual audit - does this need to happen every year? if so, when does this happen e.g., every year from certification? (in our case, we're looking to be certified Sept 2023, so Sept 2024 would be the next internal audit). Is there any leniency on it being 12 months versus 18 months for example?
Remote working policy - this is more general advice, but do we need to add how we manage people working abroad, as they need to be able to work from wherever they can on business which can sometimes mean in a coffee shop or workspace, which we advise against when working in London for security reasons. What do others usually suggest here?
Again, this is more seeking advice, but should client infrastructure be covered under our ISMS scope? We currently are excluding them as we feel we would be covered under their own security policies but just wanted to double check that's accurate/ what the standard is?
Thanks very much!