Toolkit content

1. Regarding Inventory of assets: Which assets must be documented? In the tab "Type of Asset" I see a very long list and I think it's not achievable to document all the risks for all these assets, hence the question.

Answer: First it is important to note that you do not need to use all assets listed on the "Type of Asset" tab, they are only suggestions to help you identify which risks are relevant to your organization (the risks that quickly come to your mind). Considering the asset-threat-vulnerability approach for risk assessment this is quite straightforward (from that list you pick the most common and important assets you have, and from them you identify related threats and vulnerabilities).

These articles can provide you additional information:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/
- ISO 27001 risk assessment: How to match assets, threats and vulnerabilities https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-how-to-match-assets-threats-and-vulnerabilities/

2. Let us say a control is neither relevant for our company or mandatory for ISO 27001, would I be allowed to write at justification for non-selection that it isn't mandatory for us / ISO 27001?

Answer: A more robust justification for excluding a control would be "There are no unacceptable risks, or legal requirements that demand the implementation of this control", because this one makes explicit the main reasons not to implement a control.

This article can provide you additional information:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

3. Regarding the video tutorial 'How to Write Statement of Applicability' at minute +- 13:45: You're speaking about two mandatory documents, are these by default in the Statement of Applicability template? If that's not the case, in which document can I find these?

Answer: I'm understanding that you are referring to approval of residual risks and the approval for the ISMS implementation. As explained in the tutorial the approval of residual risks is included in the SoA. The record of the approval for the ISMS implementation is done through the Risk Assessment and Treatment Report, located on folder 05 Risk Assessment and Risk Treatment Methodology in your toolkit.

4. In case you're a Web hosting company, the Secure Development Policy isn't mandatory, right? If that is the case, is there anything specific that must be written, or is something similar to this alright: "This Policy is mandatory for ISO 27001, however this is not applicable in our business due to not developing software" ?

Answer: First it is important to note that in the Statement of Applicability the justification refers to controls, not documents. Documents are listed on implementation method, if a control is applicable.

Controls from ISO 27001 Annex A are mandatory only if:
- There are risks identified as unacceptable in the risk assessment that require the implementation of such controls
- There are legal requirements (e.g., contracts, laws, and regulations) that require the implementation of such controls
- There is a top management decision requiring the implementation of such controls

If none of these options occur there is no need to implement such controls, or documents which cover them. In you case you can use the same justification from answer 1 ("There are no unacceptable risks, or legal requirements that demands the implementation of this control")

5. Where could I document all the non-employees of the company in the ISMS Scope Document (apparently they have to sign the 'Statement of Acceptance of ISMS Documents'), do I just document them at 5.2 Organizational units?

Answer: The need for them to sign the 'Statement of Acceptance of ISMS Documents' does not mean they have to be part of the ISMS scope, only that they have to be aware of this document.
Non-employees which are related to processes, services, organizational units, locations, or IT infrastructure inside the scope are normally handled through clauses on contracts and service agreements.