During implementation of ISO 27001, we had a risk as follows:
When a customer requesting a live demo, the development team most probably are late or not available (has other tasks) to develop this demo. This led to the loss of opportunity in some cases. The mitigation of this risk is to develop an OLA (Operational Level Agreement) of this service (developing a demo). My question is:
Is this risk related to ISMS (ISO 27001)? If yes, as per classification, under which control in ISO 27002 it can be considered?
Answer: Development team late or not available to deliver a demo, leading to loss of opportunity, is a risk related to the process of providing a product, so it is more related to a Quality Management System (QMS), or to a Business Continuity Management System (BCMS), than to an Information Security Management System (ISMS).
Regarding to labelling of information classification:
1- If I use SAP as an ERP. Is it a must for me to customize it to label all generated reports with the classification (confid ential, internal,....)?
Answer: You can define that reports generated by information systems should include classification labels when they have functionalities that allow this to be done in a cost effective way (considering the relevance of associated risks).
2- If I use non-customized software, how can I label its generated reports?
Answer: When labelling functionalities are not available, or their implementation is not cost effective, you can insert the classification level in the textual part of the report (e.g., as the first top line), or you can define in the Classification policy that this particular report must be considered with an specific classified by default, or someone can add classification label by hand writing it on this report after printing.
3- Can we have a code like: If there is no label on any documents, this means it is of the type "Internal use"
Answer: Yes, you can have, but as means to reduce your administrative effort and costs, you should apply it to the most common classification attributed to an information in your organization, which may be or not "Internal use".
4- If the classification of a printed document changed, what should I do for labeling? (the best implementation for such case)
Answer: if the classification of a printed document is changed, it has to be substituted by a new version, with the new classification label, and the old one must be handled accordingly the procedure for documentation control.
5- In a meeting, one of employees said that when we label any document with 'Confidential', we give the theft a sign to steel it. So, he does not like to apply label classification. Another one replied "We have to do for the sake of ISO 27001. We believe it is useful in some cases but has great side effects that make us not interested in applying this control". What do you think?
Answer: first, you do not have to do it "for the sake of ISO 27001", but for the sake of your business. Said that, if a document is classified and marked as confidential, and protected as such, how would a thief get to it? If he can access the document, this means that at some point the access control doesn't work properly.
Instead of having CISO, an Information Security Committee has been formulated. The members are HR, QA and IT Managers. The head of this IS Committee is the HR Manager. This committee will play the role of CISO. Are there any concerns about that?
Answer: ISO 27001 allows you to have team responsibilities for information security, but I think this is a bad idea - when several people are responsible, this actually means that no one is responsible. My suggestion would be to nominate one person who will act as CISO (this person can perform other functions as well), and this person will be responsible for the whole ISMS. Of course, you can still have this committee which will make some bigger decisions.