Several questions about documents

Answer: ISO 27001 does not prescribe any record to be in both; electronic form and paper form, so the only justification for keeping a record in both formats is if you have business or legal requirements demanding this specific situation. If such requirements do not exist, then you can keep a record only in electronic form.

For further information see:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

2. Is it allowed to have all records in electronic form?

Answer: Considering answer 1, if you do not have business or legal requirements demanding records in paper form, you can keep all records in electronic form.

3. Security Procedures for IT Department, Erasure and destruction records; commission for the destruction of data: Is it okay to write "Records of erasure/destruction must be kep t for all data that is stored on the server" (as an example) if I'm not implementing the Information Classification Policy?

Answer: In theory this is acceptable, but without information classification levels to decrease the need for such erasure and destruction records you may end up with an effort greater to keep such records than the effort to administrate classification levels and adopting an Information Classification Policy.

4. Are there any specific requirements we must fulfill in order to have an adequate Training and Awareness Plan? Since the datacenter is the only location in the scope and it has adequate protection and security, I don't see a specific subject which the employees could gain knowledge about. All of them know the basic security principles, aside of that they have a good understanding of how to assign and revoke access rights and such. A presentation concerning Security Awareness Training could be attended, but this would also include specific elements which are not relevant in the context of the scope.

Answer: Training and Awareness Plan objective is to help ensure persons are competent on the basis of appropriate education and training, by mapping gaps to be eliminated, so if your organization identifies that employees in the ISMS scope already have an acceptable level of competence, you can minimize the content of the plan (e.g., consider only awareness communication and recycling training).

For further information see:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/

5. Training and Awareness Plan: "the following awareness-raising methods must be applied: information day, intranet articles, newsletter, joint meetings, e-learning, internal e-mail messages, video recordings.". Is it possible to adjust this list? We don't 'need' all of these in order to ensure that everyone has the adequate knowledge and skills.

Answer: The list provided in the template is only a suggestion, so you can adjust it according to your needs, including or excluding activities.

6. Confidentiality Statement: Is it mandatory to implement this document? We do have our own NDA, but this does not cover labeling.

Answer: The confidentiality statement template included in the toolkit is not required if your organization already makes use of an NDA document, but if control A.8.2.2 Labeling of information is applicable, then you may have to adjust it so it is clear in the NDA how people can identify information classification levels, and thus handle information properly.

7. If the unacceptable risks for a particular control are being transferred to a third party, what do we write for this control in the Statement of Applicability? Technically there are unacceptable risks for the control (so I don't think we can state that there are no unacceptable risks), but they are being transferred.

Answer: In the scenario you stated, you must write that the control is applicable because there are unacceptable risks demanding its implementation, and in the implementation method column you can write that the defined treatment for related risks is "risk transfer" and that this control is being implemented by a third-party.