1 - For Register of legal, contractual and other requirements Step: what exactly should we do in this step?
2 - For ISMS Scope: we’re not sure what to include and what to exclude! do we have to include all our 14 subsidiaries? Do we need to exclude something or some departments?
3 - For Asset inventory: do we need to identify all assets we have? Or assets we provide? Or assets we’re using/purchased?
4 - For IT Security policy: is it only 1 global policy? Or we need to add related policies like: backup policy, cloud policy, data destruction policy ...).