Various questions regarding toolkit

Answer: Considering the asset-threat-vulnerabilty approach for risk assessment, the fact that assets have different owners do not influence the risk calculation. So you have to consider only each relation of asset-threat-vulnerabilty to calculate the individual risks.

By the way, included in your toolkit you have access to a video tutorial that can help you fill in the Risk Assessment and Risk Treatment Table, with examples with real data.

2. If there is more than 1 control which can be applied to 1 risk, we should evaluate each record separately, right? I mean if the risk after treatment is 1, we must not continue from that point in the next report.

Answer: If you decide to mitigate a risk by implementing controls you only have to implement controls in a quantity sufficient to reduce the risks to acceptable levels. For example, if you ca n apply 3 controls to treat a risk, but after applying the first, the risk is reduced to acceptable levels, then you do not need to apply additional controls.

3. Control A.12.6.1 Management of technical vulnerabilities: This control can be applicable to nearly each risk, may we note that this is a management decision at the justification for selection?

Answer: You can use a management decision as justification for selecting a control, but in case of systemic application as you mentioned, most probably the results of risk assessment will provide a more robust justification.

4. List of Legal, Regulatory, Contractual and Other Requirements: As for us one of the requirements would be GDPR and interested parties most likely the Data Protection Authority (Privacy Commission in Belgium), but I don't know what to fill in in the 3 tabs in the middle: 'Document stipulating the requirement', 'Person responsible for compliance' and 'Deadlines'. Can you possibly help me with this?

Answer: In fact the GDPR is the 'Document stipulating the requirement'. The relation between ISO 27001 and GDPR is by means of Article 32 (this is the requirement to be used in this row). As for 'Person responsible for compliance' you have to define who will have the responsibility and authority to implement and enforce compliance with Article 32. Finally, on 'Deadlines'you have to define by when the implementation will be finished (e.g., by end of July 2019).

5. List of Legal, Regulatory, Contractual and Other Requirements: Does this already have to be filled in at the moment of the audit?

Answer: This is one of the main documents to define the ISMS, so it has to be filled at the beginning of the ISMS implementation, well before the moment of the audit.

6. Training and Awareness Plan: Does this already have to be filled in at the moment of the audit?

Answer: This is also another document important to the ISMS, because it helps to organize the evidences of fulfillment of clauses 7.2 and 7.3, so it has to be filled before the moment of the audit

7. Measurement Report: Can I just write "Marketing", "Business", "Information Security", or something similar in the "Control / process / department" tab?

Answer: The recommendation here is to write something that will be easily understood in your organization. So, while "Marketing" and "Information Security" maybe easily understood, "Business" may be too generic and you should consider something more specific.