1. We are a rather small start-up company with about 50 employees, manufacturing a product with both hardware and software.
We do not have a CISO or an IT manager, just myself as the ICT lead to do all IT and Security related tasks.
What should we put in the documentation instead of CISO?
Or should we write somewhere that wherever it says CISO that would be the ICT lead acting as the CISO?
Or alternatively should we only include job titles that we actually have in the company?
I am not sure how to present this in the documentation and audit.
2. One of our team members looking at the risk part of our ISO 27001 plan suggested we combine 06.1_Appendix_1_Risk_Assessment & 06.2_Appendix_2_Risk_Treatment because:
1) they include a lot of the same columns.
2) you can use filter instead of copy pasting those risks that need treatment. Copy pasting between tables is error prone.
Does the standard require these tables to be seperate?
Can you explain why these are separate in the toolkit?
Any other comments will be very welcome.