Frequently Asked Question
This document is a simple, non-technical guide to help you fill the ISO/IEC 27001:2022 Scope & Information Gathering Excel sheet correctly.
You do not need prior knowledge of ISO or cybersecurity. The goal is only to capture accurate information about your business and IT usage, not to judge or audit you at this stage.
Important Before You Start
- Please answer honestly and practically.
- If something is not applicable, clearly mention “Not Applicable”.
- If you are unsure, mention “Not Sure / To Be Confirmed”.
- Do not leave fields blank unless explicitly instructed.
This sheet is used to:
- Understand the scope of certification
- Estimate effort, timeline, and cost
- Avoid surprises during the audit stage
Understanding the Columns in the Excel Sheet
Question / Requirement Column
This column describes what information is being asked.
What to do:
- Read the question carefully
- Do not overthink technical terms
- Focus on how things work in your organization today
Description / Guidance Column
This column explains why the question is asked or gives examples.
What to do:
- Use this column as a hint, not as instructions
- It helps you understand what type of answer is expected
Response / Answer Column (Most Important)
This is where you need to write your answer.
How to answer correctly:
- Use simple sentences
- Avoid marketing language
- Write what is actually in place, not what is planned
Examples:
- “We use Google Workspace for email”
- “Employee laptops are password protected”
- “No formal policy exists currently”
Honest answers help reduce rework later. Do not write what you think ISO expects
Remarks / Comments Column
Use this column for additional explanation.
When to use:
- Partial implementation
- Planned improvements
- Temporary arrangements
Examples:
- “Policy drafting in progress”
- “Backup is manual, automation planned”
How to Answer Common Sections
Organization & Business Details
Fill basic company information such as:
- Company name
- Location(s)
- Number of employees
- Type of business
Use official records where possible.
Scope of Certification
This defines what part of the organization is covered under ISO 27001.
How to answer:
- Mention specific departments, processes, or locations
- Avoid saying “Entire Organization” unless required
Example:
“IT operations and customer data handling at Mumbai office”
IT Infrastructure
Describe what technology you use:
- Laptops / desktops
- Servers (if any)
- Cloud services (Google Workspace, AWS, etc.)
You can answer in simple terms: “Employees use company laptops and cloud email”
Information Security Controls
These questions ask how you protect data.
Answer based on reality:
- Antivirus: Yes / No
- Passwords: Manual / Enforced
- Access control: Who can see what
If something is not implemented, say so clearly.
Policies & Documentation
This checks whether formal policies exist.
If you do not have written policies:
- Write “Not available currently”
- This is normal for many organizations
Policies can be created later during implementation.
Backup, DR & Incident Handling
Explain how data issues are handled:
- Is data backed up? (Yes/No)
- Where is backup stored? (Cloud / External drive)
- Any disaster recovery plan? (Yes/No)
- Any incident response process? (Formal/Informal/None)
Guidelines:
- Mention actual practice
- Informal handling is acceptable to state
Example:
- “Email data backed up automatically by Google”
- “No formal disaster recovery plan”
Common Mistakes to Avoid
1.Leaving answers blank2. Writing vague words like “Yes” without explanation
3. Overstating security maturity
4. Using technical jargon unnecessarily
If You Are Unsure What to Write
Use one of these safely:
- “Not Applicable”
- “Not Sure – confirmation required”
- “Currently not implemented”
These are acceptable and expected answers.
Final Note
This document is only for understanding scope and effort.
It is not an audit and not a compliance check.
Accurate inputs here will:
- Speed up the process
- Reduce costs
- Avoid confusion later
If you need help filling any section, you may contact us for clarification.
Transparency upfront makes ISO simple later.