Questions about ISO 27001 controls in Conformio

1. We have a question about this Time synchronization control - the control in Conformio says to use accurate time clocks and synchronize them automatically. We have a system in place to synchronize clocks and our laptops that the employees use are also synchronized via google services. We would like to understand if we should write a policy about this and what can we expect during the audit? Will the auditor ask to see how we do this for all clocks and laptops or will he ask for a random one? Would this also be applicable to tablets? This is the task I am referring to (control A12.4.4)

Answer: ISO 27001 does not require control A.12.4.4 - Clock synchronization to be documented, so you can simply add the information on how it is implemented in the Statement of Applicability, by accessing it through the Statement of Applicability module.

Regarding activities during the audit, the auditor will want to see how you planned to implement this control (he can find this information in the SoA as we suggested) and choose some random devices to verify the implementation. All devices that have access to the information you want to protect (as defined in the ISMS scope) need to be covered by this control if it is applicable, including tablets.

2. We have similar questions around the task "Make sure all computers use anti-malware" related to control A 12.2.1 - what would the auditor check in relation to this and do we need a written policy on how we handle this in our organization?

Answer: Control A.12.2.1 - Controls against malware also do not need to be documented, but as a commonly adopted practice, in case this control is defined as applicable, its implementation is documented in the IT Security Policy.

Regarding activities during the audit, the auditor will check if what was defined in the IT Security Policy is implemented.

For further information, see:
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

3. Also, the standard uses the word elements to be considered and they give 10 recommendations? Are these recommendations or do we need do everything that is listed?

Answer: From the extra information you’ve sent, I identified that you are referring to ISO 27002 in this question.

Considering that, please note that ISO 27002 is not mandatory for implementing ISO 27001. ISO 27002 is usually used by consultants who want to learn more about the standard.

For example, the implementation of whitelists or blacklists (recommendations b and c for control A.12.2.1 – Controls against malware) are necessary only in case you have relevant risks that can be treated by implementing such lists, or if you have to be compliant with a law, regulation or contract that demands the implementation of such lists.