Toolkit content

1. Confidentiality level mandatory on each document?

Answer: The label displaying confidentiality level is mandatory only if control A.8.2.2 Labeling of information is applicable to your ISMS, because of results of risk assessment, legal requirements, or top management decision.

This article will provide you further explanation about selection of controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

2. Confidentiality Statement for Employees: [name of contract on the basis of which the person will have access to confidential information], is this the employment contract?

Answer: This information can be in the employment contract for regular employees, but also can be on a service agreement for temporary employees. This situation must be considered on a case by c ase basis.

This article will provide you further explanation about terms and conditions of employment:
- What to consider in security terms and conditions for employees according to ISO 27001 https://advisera.com/27001academy/blog/2018/05/23/what-to-consider-in-security-terms-and-conditions-for-employees-according-to-iso-27001/

3. Do I also have to list the records and / or appendices in the 'Statement of Acceptance of ISMS Documents' ?

Answer: You have to make reference to all documents you want the person to state acknowledge to. For example, if the Backup policy is not referred on the 'Statement of Acceptance of ISMS Documents' the person cannot be held responsible for not complying with it.

< 4. Control A.11.2.1 Equipment siting and protection: I assume this does not include the work laptops of the employees, this only includes network and system architecture, right? Answer: This control includes all equipment included in the ISMS scope, even work laptops of the employees. The mobile nature of laptops may also require additional controls related to security off-premises, but protection on premises is mostly accomplished by control A.11.2.1. These articles will provide you further explanation about physical protection:
- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 1 https://advisera.com/27001academy/blog/2016/04/18/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-1/
- How to implement equipment physical protection according to ISO 27001 A.11.2 – Part 2 https://advisera.com/27001academy/blog/2016/04/26/how-to-implement-equipment-physical-protection-according-to-iso-27001-a-11-2-part-2/

5. List of legal, regulatory, statutory and contractual requirements:
a) Do we have to document all the employment contracts, NDAs, SLAs, etc...?

Answer: Contracts normally have clauses establishing rights and duties regarding information security, and in these cases they must be documented.

b) Also, to be ISO 27001 certified, we don't have to be compliant with GDPR as an example right?

Answer: If you have to comply with some law or regulation that defines information security requirements related to your ISMS scope, then you need to be compliant with them to become ISO 27001 certified. For example if your ISMS scope handles EU citizens personal data, then you have to be compliant with EU GDPR Article 32.

This article will provide you further explanation about ISO 27001 and EU GDPR:
- Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/