Questions about scope, requirements and controls

03- Scope template:

1.1.   Processes and services  [Specify the services and/or business processes which are included in the scope]

Q1- Must this include a list of all programs, sharepoints, SaS, etc? or is just a high-level description like "aplications developped"?

Answer: Here you need to include only a high-level description, but please note that this needs to make reference to processes or services, and the example you provided is about products (it would be better to write “software development and maintenance process”.

By the way, included in your toolkit you have access to a video tutorial that can help you develop the ISMS scope document.

For more information, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/ (this one is a recording from previous presented webinar)

02 - Procedure for requirements identification for interested parties

Q2.1 -Shall we detail all contractual requirements, one by one,  or only those that could impact information Security?

Answer: You only need to consider legal requirements (e.g., laws, regulations, and contracts) which can affect information Security or be affected by it.

Q2.2 -Do they need to be listed for each customer or can they be grouped? for example, if there is a legal requirement about time retention, can we just assign different contracts/customers to this requirement, or better list customer by customer even if the requirement is the same? We dont know how detailed this must be.

Answer:  You can group legal requirements the way it best fits your needs (e.g., by the customer, by type of service, by value, by year, etc.). In case you have a specific law, regulation, or contract you consider worthy enough to monitor in an individual way you can list it separately.  

For further information, see:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

Assets and controls 

Q3 - People can be assets (e.g., the IT Admin), How many of the employees is recommended to include in the assets? All our employees or just the ones in key positions

Answer:  People can be included as assets. Regarding which ones to include, it is not a question of how many people, but the roles which are involved with the ISMS scope. For example, if the ISMS scope covers only the IT department, you should think about roles such as the IT manager, system administrator, database administrator, network analyst, etc.

Q4.1 - Assets and Controls:  We are considering selecting around 150 assets, 110 of them applications or with some technical dependencies. This results on a lot of controls that apply to each asset. So far, we have this information in excel sheets. One per each asset, with all the pertinent control. How do you suggest managing this amount of information?

Answer: Information about assets and related controls should be registered in the Risk Treatment Table included in your toolkit in folder 05 Risk Assessment and Risk Treatment. The additional information you have about technical dependencies can be included in the Inventory of assets document included in your toolkit in folder 08 Annex A Security Controls >> A.8 Asset Management. In case you decide to keep your original excel sheets, you can use the Inventory of assets to create a main list identifying all excel sheets you need to manage.

By the way, included in the toolkit you bought you have access to video tutorials that can help you fill in the risk assessment and risk treatment documents. 

Q4.2 - Is there any tool, besides excel, that could help managing all this information?

Answer: For management of assets information, you should consider our solution Conformio, which can be used not only to implement, but also to maintain an ISO 27001 ISMS.

For further information, see:
- Conformio (online tool for ISO 27001) https://advisera.com/conformio/

Q4.3 - For the auditing process, do we need to maintain this excel sheets/information? We haven't see any reference in the mandatory requirements, only those to risk assesment, SoA,etc.

Answer: Please note that these information are related to risk assessment and risk treatment, so you need to keep them, because it is required by the standard (clauses 8.2 and 8.3).

This article will provide you a further explanation about controls selection:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

These materials will also help you regarding selection of controls:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Hello Rhand, thank you very much for your help. Maybe you already got the followinf question by the channel, I included here it just in case you didnt:

Q5 - We have developed an application. This application is deployed in the customer premises. We access/manage the application form within the customer facilities.  How does this affect us in terms of the ISO27001? Shall we consider this an asset or consider it in our scope? 

Hi, about Q4.1 I think I didnt explain right. We are assesing for each asset how is its status related to the 114 controls, as some kind of a GAP analysis. So we have 150 assets and 114 controls for each one. A lot of excel sheets.... The "Risk Treatment Table included in your toolkit in folder 05 Risk Assessment and Risk Treatment" that you mention is for the risk assesment and only to include actual threats, I think. Not the status of each asset related to each control, but of course both are connected. My question was about any tool to hadle this huge amount of information (150x114), for what I've seen I dont think Conformio has any option to hadle this specific information but only risk assesment as in the template in the tool kit. Maybe we are overkilling with this exercise. Look like base on your answer that this list of Assets vs All 114 controls, it is not required. Is this correct?

Thank you very much in advance 

Hi, about Q4.1 I think I didnt explain right. We are assesing for each asset how is its status related to the 114 controls, as some kind of a GAP analysis. So we have 150 assets and 114 controls for each one. A lot of excel sheets.... The "Risk Treatment Table included in your toolkit in folder 05 Risk Assessment and Risk Treatment" that you mention is for the risk assesment and only to include actual threats, I think. Not the status of each asset related to each control, but of course both are connected. My question was about any tool to hadle this huge amount of information (150x114), for what I've seen I dont think Conformio has any option to hadle this specific information but only risk assesment as in the template in the tool kit. Maybe we are overkilling with this exercise. Look like base on your answer that this list of Assets vs All 114 controls, it is not required. Is this correct?

Thank you very much in advance 

Your assumption is right. ISO 27001 does not require a list of Assets vs. Annex A controls. As you already perceived, this approach only creates a lot of data that won’t be very useful.

The standard’s approach for the application of controls is based on the identification of applicable legal requirements and mitigation of relevant risks. This way you keep your information at a minimum, i.e., only the basic information about assets (in the inventory of assets document), the assessed risks (in the risk assessment table), and the treated risks (in the risk assessment table).

By the way, included in your toolkit you have access to a video tutorial that can help you fill in the risk assessment and risk treatment table.

This article will provide you a further explanation about risk assessment and risk treatment:

• ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding assets, risk assessment, and risk treatment:

• Asset List for ISO 27001 Risk Assessment (MS Word) https://info.advisera.com/27001academy/free-download/asset-list-for-iso-27001-risk-assessment/
• Diagram of ISO 27001:2013 Risk Assessment and Treatment process (PDF) https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
• Checklist of cyber threats & safeguards when working from home (PDF) https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/