1. We are a rather small start-up company with about 50 employees, manufacturing a product with both hardware and software.
We do not have a CISO or an IT manager, just myself as the ICT lead to do all IT and Security related tasks.
What should we put in the documentation instead of CISO?
Or should we write somewhere that wherever it says CISO that would be the ICT lead acting as the CISO?
Or alternatively should we only include job titles that we actually have in the company?
I am not sure how to present this in the documentation and audit.
2. One of our team members looking at the risk part of our ISO 27001 plan suggested we combine 06.1_Appendix_1_Risk_Assessment & 06.2_Appendix_2_Risk_Treatment because:
1) they include a lot of the same columns.
2) you can use filter instead of copy pasting those risks that need treatment. Copy pasting between tables is error prone.
Does the standard require these tables to be seperate?
Can you explain why these are separate in the toolkit?
Any other comments will be very welcome.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. We are a rather small start-up company with about 50 employees, manufacturing a product with both hardware and software.
We do not have a CISO or an IT manager, just myself as the ICT lead to do all IT and Security related tasks.
What should we put in the documentation instead of CISO?
Or should we write somewhere that wherever it says CISO that would be the ICT lead acting as the CISO?
Or alternatively should we only include job titles that we actually have in the company?
I am not sure how to present this in the documentation and audit.
Please note that, besides top management, ISO 27001 does not prescribe any specific role to perform information security-related activities, so you can use the job titles that you actually have in your company.
For further information, see:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
2. One of our team members looking at the risk part of our ISO 27001 plan suggested we combine 06.1_Appendix_1_Risk_Assessment & 06.2_Appendix_2_Risk_Treatment because:
1) they include a lot of the same columns.
2) you can use filter instead of copy pasting those risks that need treatment. Copy pasting between tables is error prone.Does the standard require these tables to be seperate?
Can you explain why these are separate in the toolkit?
Any other comments will be very welcome.
ISO 27001 does not prescribe risk assessment and risk treatment to be documented as separate documents, but we do not recommend merging the Risk assessment table and Risk treatment table.
This is because not all risks from the Risk assessment table need to be treated, and very often for one risk you would need several controls (i.e., several lines for the same risk, each one associated with a different control). Keeping a single table would result in an unnecessarily big and complex table to manage.
Therefore, it is much easier to have two separate sheets for this purpose.
Comment as guest or Sign in
May 26, 2023