Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Expert Advice Community

Guest

Toolkit content

  Quote
Guest
Guest user Created:   Apr 17, 2019 Last commented:   Apr 17, 2019

Toolkit content

1. ISMS Scope Document, Processes and Services: If the only location which is included in the scope is the datacenter, can I leave the processes out of 6.1 and limit it to just services? No one is executing the processes (help desk application, server management system, customer relationship management tool) in the datacenter.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 17, 2019

Answer: You can describe only services in your scope, but it is not recommended, since services are delivered by processes, and you cannot define location in the scope without considering the processes related to the services. For example, in your case, the central processing of a service is performed in the datacenter, while employees interact with the service in rooms and offices outside the datacenter, and these rooms and offices also must be include as locations in your scope, so all environments where the service runs are protected by the ISMS.

These articles will provide you further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

2. ISMS Scope Document, Locations: The office is in Belgium and the datacenter is in The Netherlands. Is this a fine way how to write how they are separated?

Answer: If only your datacenter is in the scope, there is no need to include the location of the office. You must specify means of separation only when elements that are inside and outside of the scope are in the same location (for example, the datacenter is in the same building but is located on a separated floor).

3. Which fields are obligatory in the Risk Treatment Plan?

Answer: ISO 27001 does not prescribe the content of a risk treatment plan, but all fields defined in the Risk Treatment Plan template must be filled because they will help you not only to ensure controls are implemented (by means of Description of activities, Responsible person, Start and completion deadlines, and Status) but will also help you evidence fulfillment of standards clauses (Necessary financial and other resources for clause 7.1, Training and awareness programs for clause 7.2, and Method for evaluation of results for clause 9.1)

This article will provide you further explanation about evidencing resources:
- How to demonstrate resource provision in ISO 27001 https://advisera.com/27001academy/blog/2017/04/10/how-to-demonstrate-resource-provision-in-iso-27001/

4. Inventory of assets: If we choose not to do asset labeling, then I assume we only have 2 obligatory fields which are Asset Owner and Asset Name right?

Answer: ISO 27001 does not prescribe which details must be listed in the asset inventory, so you can list only the asset name and its owner, but you should also consider to fill the other fields, because they will be useful for managing the assets.

This article will provide you further explanation about asset register:
- How to handle Asset register (Asset inventory) according to ISO 27001 https://advisera.com/27001academy/knowledgebase/how-to-handle-asset-register-asset-inventory-according-to-iso-27001/

5. A.7.2.3 Disciplinary process: Can this be really basic defined or do you have any examples of how it could be defined?

Answer: ISO 27001 does not prescribe which details must be included in the disciplinary process, so an organization is free to define it the way it better suits them (you can use the disciplinary process you already have in your own organization).

6. Training and Awareness Plan: Is reading the established policies also a way of training?

Answer: Reading policies can be considered a way of awareness and training, to ensure a person knows a policy exists and what it is about. But for some policies you also have to consider that the person must practice to perform properly which is required by the policy.

These articles will provide you further explanation about awareness and training:
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/
- 8 Security Practices to Use in Your Employee Training and Awareness Program https://advisera.com/27001academy/blog/2015/03/02/8-security-practices-to-use-in-your-employee-training-and-awareness-program/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 17, 2019

Apr 17, 2019

Suggested Topics

Guest user Created:   Apr 07, 2022 ISO 27001 & 22301
Replies: 1
0 0

Toolkit content

Guest user Created:   Jan 25, 2022 ISO 27001 & 22301
Replies: 1
0 0

Toolkit content

Guest user Created:   Jan 20, 2022 ISO 27001 & 22301
Replies: 1
0 0

Toolkit content - A.6.1