Toolkit content

1. Information Security Policy: Can we summarize a couple of aspects in the concepts of Annex A, such as Organization, HR Security, Asset Management, Access Control, Cryptography, ...

Answer: The Information Security Policy is a top level document, created before the identification of controls, so we do not recommend such summarize because:
- It will make the document overly complex and difficult to understand
- The risk of rework, if after risk assessment you identify there are not relevant risks the can justify the text included in the Information Security Policy like you are proposing

For further information please read:
- What should you write in your Information Security Policy according to ISO 27001? https://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/

2. Inventory of assets: Description of asset: What do we have to write here? Are we supposed to write what this asset is being used for?

Answer: If ISO 27001 control A.8.1.1 (Inventory of assets) is applicable to your organization you should consider at least the name of the asset, its owner and its classification level. Of course you can add more information to fulfill additional needs from other requirements you have, or you understand it will help you manage the ISMS (e.g., what the asset is being used for).

This article will provide you further explanation about Inventory of assets:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

3. Inventory of assets: Impact: Which impact do we have to list here in case there are more risks which are related to the specific asset?

Answer: You have to consider the highest impact identified among the list of risks related to a specific asset.
For further information, please read:
- How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

4. Risk Treatment Table: What if there is more than one control which could be bound to a specific risk? Let us say: losing your work laptop is the risk, controls: regarding Mobile Device & Teleworking (A.6) and Business Continuity (A.17), so there is more than one option.

Answer: ISO 27001 does not prescribe how many controls you need to adopt to treat a risk, so you can adopt as many controls as you see necessary to reduce risks to acceptable levels in a cost effective way.
This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

5. We must be certified by June, is there any advice that you could give me on how to get this sorted out as soon as possible?

Answer: Without details about your context (e.g., company size, ISMS scope, business objectives, etc.) it is not possible to provide detailed guidance, but in general you should work to maintain top management commitment on the project (to prioritize tasks and resources), and keep controls and documents as simple as possible (you should worry about refinements at a later stage).

By the way, included in your toolkit you have access to several tutorials that can help you with tasks like filling the risk assessment and risk treatment tables, developing the information security policy, etc.