Several questions about documents

Answer: If the alternative controls chosen to be implemented have reduced the risks to acceptable levels, then controls A.10.1.1 and A.10.1.2 are not applicable and for justification you can state that there are no risks demanding control implementation.

On the other hand, if the alternative controls chosen to be implemented have not reduced the risks to acceptable levels, and you still decided not to implement controls A.10.1.1 and A.10.1.2 (e.g., because the costs related to the implementation are greater than the expected impact of risk occurrence), then you can state that related risks (IDs xxx, yyy, zzz, etc.) are accepted by top management decision.

2. If two controls have the same risk, what do we write at the justification for selection/non-selection at the second control if we implemented the first one and ther e are no other unacceptable risks?

Answer: If the first control applied has reduced the risk to acceptable levels, for the second one you can state that there are no risks demanding control implementation.

3. Do we really have to restrict access in case we'd like to access the information systems in the datacenter? We do have a Mobile Device and Teleworking Policy and Clear Screen and Clear Desk Policy which is being implemented.

Answer: If there are no unacceptable risks related to unrestricted access to information (not only by employees, but by customers, suppliers, contractors, external parties, etc.), nor legal requirements demanding access control, you do not have to restrict access to information, but this is almost an impossible situation, because any organization has in some degree some information it wants to restrict access to. Additionally, Mobile Device and Teleworking Policy and Clear Screen and Clear Desk Policy implement some degree of access control (e.g., by defining who is eligible for teleworking an by requiring screen lock when user is absent of his workstation).

4. Besides the GDPR, is there anything else that may be relevant to document in the 'List of Legal, Regulatory, Contractual and Other Requirements' ? Perhaps eventual NDA's with stakeholders (e.g. customers) that are very sensitive to security, data, etc. ?

Answer: GDPR is an example of legal requirement related to laws, and your business probably will have some other laws or regulations related to its business that it must comply with. Other examples may be contracts with bug customers and SLA with suppliers. Since we are not legal experts, in these cases we recommend that organizations hire local legal advisers to guide them in this requirements identification.

5. If we implement control A.9.2.5 (Review of users access rights), what should we as a webhosting company review for sure (systems, networks, services and physical access) ?
We definitely have to review the physical access to the datacenter. I think we have to review access to Jelastic (server management) as well. Aside of that I wouldn't know anything else. I don't think we'd have to review access to more than 90 servers, right?

Answer: What you should review will depend on the results of risk assessment and the identified legal requirements (without these information we cannot provide a more precise answer). For example, why are you sure you have to review physical access (e.g., because of risks, or because of legal requirements)?

Regarding the review of your servers, the same concept applies. If you have risks or legal requirements that demand the review of 45 servers (because of information stored or processed by them), then you only have to review these 45.

6. If we implement control A.12.3.1 (Information backup), we must test backup copies. If we are going to test these manually, it will take a very long time (since there are only 4 employees which are doing the webhosting services), is there a more 'achievable' way to test these backup copies?

Answer: Besides automatic tests (which require investment on equipment and software), an alternative you could use is to define a sample size with an acceptable degree of confidence and perform the tests only on the samples, changing the samples every time you perform the test (for sample size definition statistical knowledge is required). This is a way to ensure the backup process is working without a 100% test.

For example, you may find that for a 98% of confidence your backup process is working, you need to test 8 of 100 backup units, and only 1 can fail (if more that 1 fail you will have to test all units). This way, if your process is working properly you have to work on only 8 backups each time you have to test your process (of course, each time you perform the test you have to use a different set of backup units).

7. Records of testing backup copies: Which fields are mandatory?

Answer: ISO 27001 does not prescribe mandatory fields for backup record, but as good practice you can consider at least these fields: which information was requested to be backed up, the requester, the date of request, the date when the backup was performed, the result of the backup procedure (successful / fail) and where the backup was stored.

8. Records of log reviews: Which fields are mandatory?

Answer: Also for this one ISO 27001 does not prescribe mandatory fields for log reviews, but as good practice you can consider at least these fields: Source of log information (e.g., access control server), purpose of the log (e.g. identify unauthorized access, attempts of unauthorized access), expected results (e.g., no login attempts on non working hours) recorded results (success/fail logins), decisions taken (e.g., situation ok, open an incident, etc.).