1 -In the toolkit, I noticed that there’s no policy, or a reference to a policy, for each control in Annex A (f.e. A.11.1.6 Delivery and loading, or A.11.2.3 Cabling security etc.). So I’m wondering if we can leave such things easily out of the ISO27K scope and so leave it out of the SOA ? Or should we include it in a policy or write a separate document about these things ? Or is it just enough to write a short answer in the SOA how this is implemented.
ISO 27001 does not require each control to be implemented, nor it requires each implemented control to be documented. Therefore, you have the following options:
a) Exclude a control in the Statement of Applicability if there are no risks or requirements for this particular control
b) Implement a control and write a separate policy or procedure for it
c) Implement a control and document it though a policy or a procedure which covers also other controls
d) Implement a control without documenting it - in this case you only describe briefly how you implemented it in the SoA
2 - For my own reference: I assumed that the ISO standard and controls (Annex A or SOA) are copyright protected ? But I saw you used the numbering and especially “titles” from the ISO standard, is this allowed ? I’m just wondering if I can use my own excel “including the official control description” as well and store it in Conformio or on our file server.
Answer: Using numbering and titles as reference to the standard is allowed because in many requires (like the one which defines the SoA content) you have to make reference to the standard to be compliant. What is not allowed is copy of sections content, as well as copies from description of controls, but you can write them in other words to use in your excel file with no problem