Questions about ISO certification

1. In the document “List_of_documents_ISO_27001_2013_Documentation_Toolkit_EN” there are check marks with asterisk: (e.g.  #4): are they required at the ISO certification or can we decide if they concern us or not? 

Please note that the documents with check marks with asterisks are required when controls related to them are identified as applicable in the Statement of Applicability. Considering your example (#4 List of Legal, Regulatory, Contractual, and Other Requirements), the document is required when control A.5.31 is identified as applicable in the Statement of Applicability.

From our experience, all companies mark control A.5.31 as applicable in the Statement of Applicability.

2. The document “06_Statement_of_Applicability_27001_EN” has a list of the applicability of controls. How shall we decide which controls are important for us? 

In the Statement of Applicability, you have to mark a control as applicable if there are unacceptable risks, or if there are requirements from interested parties. Therefore, you have to complete the List of Legal, Regulatory, Contractual, and Other Requirements, and the Risk Treatment Table before you write Statement of Applicability.

For further information, see:

• Statement of Applicability in ISO 27001 - What is it and why does it matter? https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

3. The head quarter and main company of ***, Inc. is in ***. We also have a subsidiary in ***, ***, and belonging 100% to ***.How do we have to proceed with the ISO certification? Is the *** certification enough for both companies? Do we need an extra chapter in the ISO certification for the *** subsidiary? 

A single certification covering both sites, or a certification for each site are acceptable possibilities, and your decision should consider your business objectives and strategies.

A single certification is more complex to manage (e.g., both sites can be affected by issues related exclusively to one site), while different certificates create redundant costs related to the duplication of similar requirements.

In any case, you need to align this situation with your certification body first.

4. We need to set the confidentiality levels on all documents. Is the standard “for employee use only” for all documents good enough for certifier?

First is important to note that the definition of confidentiality levels is required only if control 5.12 Classification of information is identified as applicable in the Statement of Applicability.

Considering that, your classification “for employee use only” for all documents may be acceptable for certification purposes.

Please note that the control does not prescribe confidentiality levels to be defined (you may have only a single classification level) nor which information need to be classified.

For further information, see:

• Information classification according to ISO 27001 https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/