Here are some questions. Not the ten from this month. I hope it is ok to send them in several batches.
Thank you very much in advance for your help!
03- Scope template:
1.1. Processes and services [Specify the services and/or business processes which are included in the scope]
Q1- Must this include a list of all programs, sharepoints, SaS, etc? or is just a high-level description like "aplications developped"?
02 - Procedure for requirements identification for interested parties
Q2 -Shall we detail all contractual requirements,one by one, or only those that could impact information Security? Do they need to be listed for each customer or can they be grouped? for example, if there is a legal requirement about time retention, can we just assign different contracts/customers to this requirement, or better list customer by customer even if the requirement is the same? We dont know how detailed this must be.
Assets and controls
Q3 - People can be assets (eg the IT Admin), How many of the employees is recommended to include in the assets? All our employees or just the ones in key positions
Q4 - Assets and Controls: We are considering selecting around 150 assets, 110 of them applications or with some technical dependencies. This results on a lot of controls that apply to each asset. So far, we have this information in excel sheets. One per each asset, with all the pertinent control. How do you suggest managing this amount of information? Is there any tool, besides excel, that could help managing all this information? For the auditing process, do we need to maintain this excel sheets/information? We haven't see any reference in the mandatory requirements, only those to risk assesment, SoA,etc.