SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Use promo code:
SPRING30

Expert Advice Community

Guest

Questions about ISO certification

  Quote
Guest
Guest user Created:   Dec 21, 2022 Last commented:   Dec 21, 2022

Questions about ISO certification

We have bought the “ISO 27001 documentation toolkit” and now we have some questions:


1. In the document “List_of_documents_ISO_27001_2013_Documentation_Toolkit_EN” there are check marks with asterisk: (e.g.  #4): are they required at the ISO certification or can we decide if they concern us or not? 

2. The document “06_Statement_of_Applicability_27001_EN” has a list of the applicability of controls. How shall we decide which controls are important for us? 

3. The head quarter and main company of ***, Inc. is in ***. We also have a subsidiary in ***, ***, and belonging 100% to ***. How do we have to proceed with the ISO certification? Is the *** certification enough for both companies? Do we need an extra chapter in the ISO certification for the *** subsidiary?

4. We need to set the confidentiality levels on all documents. Is the standard “for employee use only” for all documents good enough for certifier?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 21, 2022

1. In the document “List_of_documents_ISO_27001_2013_Documentation_Toolkit_EN” there are check marks with asterisk: (e.g.  #4): are they required at the ISO certification or can we decide if they concern us or not? 

Please note that the documents with check marks with asterisks are required when controls related to them are identified as applicable in the Statement of Applicability. Considering your example (#4 List of Legal, Regulatory, Contractual, and Other Requirements), the document is required when control A.5.31 is identified as applicable in the Statement of Applicability.

From our experience, all companies mark control A.5.31 as applicable in the Statement of Applicability.

2. The document “06_Statement_of_Applicability_27001_EN” has a list of the applicability of controls. How shall we decide which controls are important for us? 

In the Statement of Applicability, you have to mark a control as applicable if there are unacceptable risks, or if there are requirements from interested parties. Therefore, you have to complete the List of Legal, Regulatory, Contractual, and Other Requirements, and the Risk Treatment Table before you write Statement of Applicability.

For further information, see:

3. The head quarter and main company of ***, Inc. is in ***. We also have a subsidiary in ***, ***, and belonging 100% to ***.How do we have to proceed with the ISO certification? Is the *** certification enough for both companies? Do we need an extra chapter in the ISO certification for the *** subsidiary? 

A single certification covering both sites, or a certification for each site are acceptable possibilities, and your decision should consider your business objectives and strategies.

A single certification is more complex to manage (e.g., both sites can be affected by issues related exclusively to one site), while different certificates create redundant costs related to the duplication of similar requirements.

In any case, you need to align this situation with your certification body first.

4. We need to set the confidentiality levels on all documents. Is the standard “for employee use only” for all documents good enough for certifier?

First is important to note that the definition of confidentiality levels is required only if control 5.12 Classification of information is identified as applicable in the Statement of Applicability.

Considering that, your classification “for employee use only” for all documents may be acceptable for certification purposes.

Please note that the control does not prescribe confidentiality levels to be defined (you may have only a single classification level) nor which information need to be classified.

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 21, 2022

Dec 21, 2022

Suggested Topics