Questions regarding 27001 implementation

1. In the data center we run there is a service called Remote hands, in which customers having their equipment there under a regime of collocation, meaning we have no logical access to data, we may do some wiring, etc. I know that other similar companies leave this service out of the scope. I understand this is the correct approach, but can you give me a good justification for this?

The justification in this case is that you do not control the information on such equipment, therefore you are excluding it from your ISMS scope.

For further information, see:- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

2. In our Spanish office (not the datacentre) we have a person who is a relative of our boss, whose activity has nothing to do with the company but he acts as a contact person for some administration duties. He shares a connection to the internet with us but we set up a separate VLAN so he can´t access our networks. Of course, he has physical access to all resources in this office. Should we leave him out of the scope or otherwise include him?

If this person has access to information included in the ISMS scope, for small and medium-sized companies it is better to include him/her in the ISMS scope, because the effort to segregate this person of the ISMS scope may not be worthy.

For further information, see:- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

3. We have an extensive asset inventory that we use to calculate amortization but the woman in administration refuses to give me a copy so I can include it in the documentation. Management is not supporting me with this because this woman is not easy to deal with and no one wants to fight her. Any solution? Is it mandatory to have the inventory as a separate document in the IS system or we can refer to it as it is now?

First is important to note that an asset inventory is required for ISO 27001 only if:

- there are unacceptable risks which treatment demands such inventory - there are contracts, laws or regulations you have to follow which demands such inventory - there is a top management decision demanding such inventory

If none of the above-mentioned situations occurs, then there is no need to keep such inventory.

In case the inventory is required, referring to an existent inventory is acceptable to be compliant with this control. However, if it is not feasible to use an existing inventory in some other department, you can always develop a new inventory of assets.

For further information, see:- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

4. Security records. What happens if we don´t have any (as such format) prior to the certification audit?

Some security records are mandatory for ISO 27001 (e.g., results of risk assessment and treatment), and without them, your organization won't be able to be certified.

For further information, see:- Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

5. Legal requirements doc: should all customers be listed? How often should it be updated then? Can we refer this item to our CRM software?

You need to list all customers who have security requirements. If some customers have the same security requirements, then you can group them together as a single entry into the list. 

Regarding updates, this list of legal requirements should be updated at least once a year or sooner if there are any significant changes in the organizational context.

If you already have the information required by the standard in your CRM software you can only refer to it and still be compliant with the standard.