1. 'Security Procedures for IT Department'. XXXX is an IT company, this means there is no specific IT department. Is it still obligatory for us to make this document?
Answer: First it is important to understand that this document is intended to the "department" that runs the IT systems that support the organization's business. In your case this document would be intended to the area that runs your internal IT systems, but also could be applied to IT processes you run for your customers.
Second, this document is mandatory only if controls that ISO 27001 Annex covers are required by your business, considering that:
- There are risks identified as unacceptable in the risk assessment that require the implementation of controls covered by this document
- There are legal requirements (e.g., contracts, laws, and regulations) that require the implementation of the controls covered by this document
- There is a top management decision requiring the implementation of the controls covered by this document
If none of these options occur for the controls related to this document there is no need to implement this document.
2. Risk Treatment Table: Regarding the zero's at the last column (which is Risk), are these put as an example?
Answer: The zero is the result of the formula used to calculate risk (consequence plus likelihood, on columns L and M respectively), and on the template the zero is because the template is empty. Included in the toolkit you have access to a video tutorial that will guide you on filling the Risk Treatment Table with real data.
3. Statement of Applicability: Aren't we supposed to tick the controls which are mandatory for ISO 27001 (the ones affiliated with the documentation in your PDF, ex. Statement of Acceptance of ISMS Documents is mandatory, so A.7.1.2 is applicable) ?
Answer: The Statement of Applicability goes beyond ticking applicable controls, because you also have to document the justification to apply, or not to apply, a control from Annex A, and the implementation status of each control. Additionally, considering your example, in fact it is the other way around (i.e., because A.7.1.2 is applicable the Statement of Acceptance of ISMS Documents is mandatory).
4. Validity and document management (which is at the bottom of nearly each document): required or not? If it is required, may we present it on a different way (ex. in a table) ?
Answer: Validity helps fulfill requirements regarding clause 7.5.2 Creating and updating documented information, while document management helps to identify and control records related to the document, fulfilling clause 7.5.3 Control of documented information. Since ISO 27001 does not prescribe how to present this information, you can use any presentation that you see best for your organization.