Several questions about toolkit documents

Answer: First is important to note that you have to define a list of special interests groups only if you have a requirement demanding this list (e.g., an unacceptable risk, contract, law, etc.).

Considering that, special interests groups refer to persons or entities you must contact in specific situations (e.g., report an incident to a law enforcement authority, ask information about an equipment from a supplier, etc.), so you need to identify them. Only refer to regulations you must comply with will not be sufficient, either because they may not define which persons or entities must be contacted, or by referring only to the regulations an user looking for such contact still will have to search for it in the referred document, delaying any activity with requires this information.

For additional information see:
- Special interest groups: A useful resource to support your ISMS https://advisera.com/27001academy/blog/2015/04/06/special-interest-groups-a-useful-resource-to-support-your-isms/

2. Backup procedure: Is it enough to define this in the 'Security Procedures for IT Department', I saw that there's also a section in the 'IT Security Policy'.

Answer: Please note that these two documents have different target users. While the 'Security Procedures for IT Department' defines the backup procedure to be performed by IT personnel, considering the backup of systems information used by the organization, the 'IT Security Policy' defines the backup procedure to be performed by general users regarding the information stored on their own computers, so you have to define procedures on both documents.

3. Confidentiality Statement: Is this document useful without a reference to the Information Classification Policy?

Answer: To be useful without referring to the Information Classification Policy, the Confidentiality Statement must contain in its clauses the definition of which information must be protected, how it can be identified (i.e., labeling rules), and how it must be protected.

4. IT Security Policy & Security Procedures for IT Department: Information Transfer / E-mail and other message exchange methods relevant in context of the scope? The scope is limited to the datacenter, so all the operations in the office are not included in the scope.

Answer: Even if the scope is limited to the datacenter, the processes and services running inside it still exchange information with elements outside the datacenter, so you have to consider these exchanged information when developing the IT Security Policy & Security Procedures for IT Department.

5. IT Security Policy: Clear desk and clear screen policy relevant in context of the scope? The scope is limited to the datacenter, so all the operations in the office are not included in the scope.

Answer: Information processed in the datacenter is still accessed by operators through remote connections, then the clear desk and clear screen policy must be developed considering these users (e.g., "datacenter operator, even working remotely, must lock his screen if they will be absent from his workplace").
For additional information see:
- Clear desk and clear screen policy – What does ISO 27001 require? https://advisera.com/27001academy/blog/2016/03/14/clear-desk-and-clear-screen-policy-what-does-iso-27001-require/

6. Security Procedures for IT Department, [Name of change record] - in electronic form: Does the name of this record have to be the name of something specific which is part of an information system, or can I just call it "Change records" to refer to all the change records?

Answer: There is no need to have specific names for different change records. You can refer generally to these records as "Change records", and specify on the Storage location column "The system where the change record was created". This way you create a link between the record and the system where it is used.
For additional information see:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

7. Records in general: Do I have to store some of the records in the intranet, or is it also allowed to store this on the laptop of a responsible person?

Answer: ISO 27001 does not prescribe where to store records, so you can define the storage location as best fit for your organization.

8. Difference A.12.5.1 and A.12.6.2

Answer: Control A.12.5.1 (Installation of software on operational systems) refers to the implementation of procedures to control software installation in general, used by IT staff and general users, while control A.12.6.2 (Restrictions on software installation) refers to rules specific for non IT personnel regarding which software they can install.

For example, you can have a procedure for installing antivirus software (which fulfills control A.12.5.1) that may define that all employees can install antivirus software, or that only IT personnel can install it (this rule in the procedure fulfills the control A.12.6.2).

9. Do documents have to be signed?

Answer: Only printed documents must be signed. For electronic documents other means may be defined to evidence that a document is approved (e.g., log or status in a document management system, or an approval email sent by the document owner).

10. Corrective Action Form: Is it a problem if this isn't filled in by the day of the audit?

Answer: The corrective action for can be filled in after the day of the audit, but it is recommend that this does not take too long to be done, because this action may be forgotten considering daily activities, and depending of the action required, any unneeded delay may be considered a failure to fulfill a system requirement, which may bring problems in a certification or surveillance audit.

11. If you transfer a risk to a third party, how can you justify this in the Statement of Applicability for the associated controls?

Answer: Please note that in the SoA you need to justify only if a control is applicable or not (e.g., by stating there is an unacceptable risk, legal requirement, or top management decision requiring the implementation of the control). There is no need to justify the treatment to be applied (in this case you do not need to justify why you transferred the risk to a third party instead to mitigate it yourself).
For additional information see:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

12. What could be a good reason to not implement control A.14.1.1 / to accept the risks associated with control A.14.1.1?

Answer: Justifications to be considered to not implement a control are:
- There are no unacceptable risks or legal requirements demanding the control implementation.
- Identified risks are acceptable under risk acceptance criteria
- The costs required to implement the control are greater than the costs involved if the risk occurs
For additional information see:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

13. Is it really obligatory to implement the Confidentiality Statement in the toolkit? The company implements an addendum in each contract, is this suitable?

Answer: If this addendum your company uses can fulfill the requirements for ISO 27001, or can be adjusted to be compliant with the standard, then there is no need to implement the Confidentiality Statement that comes in the toolkit.