Expert Advice Community

Guest

Register of legal, contractual and other requirements

  Quote
Guest
Guest user Created:   Jul 19, 2022 Last commented:   Jul 19, 2022

Register of legal, contractual and other requirements

1 - For Register of legal, contractual and other requirements Step: what exactly should we do in this step? 2 - For ISMS Scope: we’re not sure what to include and what to exclude! do we have to include all our 14 subsidiaries? Do we need to exclude something or some departments? 3 - For Asset inventory: do we need to identify all assets we have? Or assets we provide? Or assets we’re using/purchased? 4 - For IT Security policy: is it only 1 global policy? Or we need to add related policies like: backup policy, cloud policy, data destruction policy ...).
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 19, 2022

1 - For Register of legal, contractual and other requirements Step: what exactly should we do in this step?

In this step, you need to record all laws, regulations, standards, and contracts that put information security requirements for your company.

This step will help you identify which security controls you need to consider in your ISMS implementation.

For further information, see:

  • How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
  • Conformio video “Register of requirements” https://vimeo.com/showcase/6734609/video/508420680

2 - For ISMS Scope: we’re not sure what to include and what to exclude! do we have to include all our 14 subsidiaries? Do we need to exclude something or some departments?

To help you define your ISMS scope, please access this free tool: Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/

3 - For Asset inventory: do we need to identify all assets we have? Or assets we provide? Or assets we’re using/purchased?

ISO 27001 does not require to have a separate Asset inventory, so in Conformio the Risk Register is used for listing the assets.

In Conformio assets are identified as part of the information risk assessment and treatment, in the Risk Register module, so you only need to identify assets that are relevant to the information you want the ISMS to protect. You should include all assets that you control - those could be the assets you are using (e.g., your people), that you purchased (e.g., laptops), or that you provide to third parties (e.g., Software-as-a-Service).

4 - For IT Security policy: is it only 1 global policy? Or we need to add related policies like: backup policy, cloud policy, data destruction policy ...).

ISO 27001 does not prescribe the content of an IT Security policy, so you can develop it as a single document or as multiple documents covering specific areas.

In Conformio you can either use a single document for the IT Security policy or use some documents separated. You can define that after performing the risk assessment step and Conformio suggests the documents you need to develop within the Statement of Applicability step, considering the applicability of controls.

For further information, see:

  • 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
  • How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
  • How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/22/detailed-iso-27001-documents/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 19, 2022

Jul 19, 2022

Suggested Topics