We have bought the “ISO 27001 documentation toolkit” and now we have some questions:
1. In the document “List_of_documents_ISO_27001_2013_Documentation_Toolkit_EN” there are check marks with asterisk: (e.g. #4): are they required at the ISO certification or can we decide if they concern us or not?
2. The document “06_Statement_of_Applicability_27001_EN” has a list of the applicability of controls. How shall we decide which controls are important for us?
3. The head quarter and main company of ***, Inc. is in ***. We also have a subsidiary in ***, ***, and belonging 100% to ***.
How do we have to proceed with the ISO certification? Is the *** certification enough for both companies? Do we need an extra chapter in the ISO certification for the *** subsidiary?
4. We need to set the confidentiality levels on all documents. Is the standard “for employee use only” for all documents good enough for certifier?