Questions for applicability

1) Appendix 1 – List of Legal, Regulatory, Contractual and Other Requirements

Could you provide some guidance how we can tackle this? 

Answer: Please note that included in the template you have several comments about what to fill in each column. As a practical example, we can have:

A customer named Jon has a service level agreement with your company which defines, on clause 32-b, that access to all information provided by the customer to information system ABC are restricted to customer personnel only. In this case, the person responsible for system ABC is responsible to ensure compliance of the system to this requirement. Then your document would be like this:

Interested party: Customer Jon Requirement: Clause 32-b (Information provided to system ABC are restricted to customer's personnel) Document: Service level agreement Person responsible for compliance: System ABC administrator Deadline: when system ABC is made available for customer use

Besides Service Level Agreements, you should consider laws and regulations applicable to the locations where you operate. For identification of specific requirements for your organization we recommend you seek expert legal advice. 

2) STATEMENT OF APPLICABILITY - Applicability of controls . 

Justification for selection/ non-selection
Control objectives
Implementation method
Status
We'd also appreciate some more guidance regarding this subject. 

Answer: Please note that included in your toolkit you have access to a video tutorial that can help you fill in the Statement of Applicability, using examples with real data.

If you already saw the video tutorial and you still think you need more help, you can either send us your specific doubt or schedule a meeting with one of our experts, so he can help you solve your issues. To schedule a meeting, please access this link: https://advisera.com/27001academy/consultation/

3) BRING YOUR OWN DEVICE (BYOD) POLICY.

Could you please help us understand why it is not allowed to do the following with BYOD connect via Bluetooth to any kind of device?

Answer: Please note that not allowing bluetooth conectivity is good practice adopted by organziations, that's why it is included in the template. However in case you do not have relevant risks (e.g., an unauthorized person accessing a corporate cellphone through Bluetooth), or legal requirements (e.g., laws, regulations, or contracts) demanding such prohibition you can exclude this ite from your policy (the template is fully editable).

For further information, see: - The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/ 

4) Risk Assessment 05.2_Appendix_2_Risk_Treatment_Table_27001_EN and 05.1_Appendix_1_Risk_Assessment_Table_27001_EN and
How can we ensure we include all applicable risks? From your experience, is it enough to keep the risks suggested from the toolkit? Do you have any techniques to assess the risk ourselves?

Answer: ISO 27001 does not require a "minimum" number of risks, only that relevant risks are identified and treated.

Considering that, you should be more concerned about the quality of the identified risks (i.e., how relevant they are for the organizations) than their quantity. The single point you need to pay attention to is to not overlook obvious risks, i.e., risks that someone with proper competence on the process or asset would easily identify. To mitigate this risk you need to include in the risk assessment the personnel involved with the process or asset.

Additionally, you will need to review the risk assessment at least once a year, and this will be an opportunity to include new risks you did not enter into the assessment until then.

 As for the suggested risks, you need to consider your own context to identify those relevant to you, so you must not keep only the suggested risks.

These articles will provide you a further explanation about risk assessment and treatment:
- ISO 27001 risk assessment: How to match assets, threats, and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/blog/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
- Risk assessment tips for smaller companies https://advisera.com/27001academy/blog/2010/02/22/risk-assessment-tips-for-smaller-companies/

By the way, included in your toolkit you have access to a video tutorial that can help you fill in the Risk Assessment Table and Risk Treatment Table, using examples with real data.