Yet another question. Since our company is in the early stages and consists of a small organization, we are able to easily change our ways of working. This means we can also prevent getting into situations where we have risks which are unacceptable.
As I understand it, if we're able to implement all relevant controls before entering any ISO27001 certification, then we should be able to completely ignore documents such as the ones regarding risk treatment. This would mean that status for all items in Statement of Applicability is either set to not applicable, or fully implemented. Can you confirm that we are able to ignore the documents related to risk treatment in this case? Also, is it common to do it like this?
Please note that “documents regarding risk treatment” can mean documents related to ISO 27001 clauses 6.1.3 and 8.3), and documents related to ISO 27001 Annex A.
Documents related to clauses 6.1.3 and 8.3 cannot be ignored because they are mandatory documentation. You need to develop them to be compliant with the standard. You need to document the results of risk treatment, even if you already have implemented controls. Documents required by these clauses are: - Risk treatment plan (clauses 6.1.3 e, 6.2, and 8.3) - Risk assessment report (clauses 8.2 and 8.3)
Regarding ISO 27001 Annex A, some controls, when defined as applicable, also require documents to be written: - Definition of security roles and responsibilities (clauses A.7.1.2 and A.13.2.4) - Inventory of assets (clause A.8.1.1) - Acceptable use of assets (clause A.8.1.3) - Access control policy (clause A.9.1.1) - Operating procedures for IT management (clause A.12.1.1) - Secure system engineering principles (clause A.14.2.5) - Supplier security policy (clause A.15.1.1) - Incident management procedure (clause A.16.1.5) - Business continuity procedures (clause A.17.1.2) - Statutory, regulatory, and contractual requirements (clause A.18.1.1)
In case you have implemented any of the abovementioned controls you need to develop related documents. For other controls no documentation is defined as mandatory, and you do not need to develop documents for them.