I have some questions regarding 27001 implementation.
1 - In the datacentre we run there is a service called Remote hands, in which customers having their equipment there under a regime of colocation, meaning we have no logical access to data, we may do some wiring, etc. I know that other similar companies leave this service out of the scope. I understand this is the correct approach, but can you give me a good justification for this?
2 - In our Spanish office (not the datacentre) we have a person who is a relative of our boss, whose activity has nothing to do with the company but he acts as a contact person for some administration duties. He shares a connection to the internet with us but we set up a separate VLAN so he can´t access our networks. Of course, he has physical access to all resources in this office. Should we leave him out of the scope or otherwise include him?
3 - We have an extensive asset inventory that we use to calculate amortization but the woman in administration refuses to give me a copy so I can include it in the documentation. Management is not supporting me with this because this woman is not easy to deal with and no one wants to fight her. Any solution? Is it mandatory to have the inventory as a separate document in the IS system or we can refer to it as it is now?
4 - Security records. What happens if we don´t have any (as such format) prior to the certification audit?
5 - Legal requirements doc: should all customers be listed? How often should it be updated then? Can we refer this item to our CRM software?