Kamis, 16 Mei 2013

List of mandatory documents required by ISO 27001

07.09 Unknown No comments
'By 'Dejan Kosutic on April 09, 2013
   
It’s actually funny, but it is rather difficult to find a list of all mandatory documents required by ISO 27001 anywhere on the Internet – this problem came to my attention when one of the readers of my blog told me he had to read several of my articles to assemble this list.
Anyway, a complete list of mandatory documents has two parts: the first part is related to documents which are required in the main part of the standard (clauses 4 to 8), and the second part is related to Annex A.
Mandatory documents required in the main part of ISO 27001
The first part is rather straightforward – most of required documents are listed in clause 4.3.1:
  • ISMS scope
  • ISMS policy and objectives
  • Risk assessment methodology
  • Risk assessment report
  • Statement of Applicability
  • Risk treatment plan
  • Description on how to measure effectiveness of controls
  • Procedure for document management
  • Controls for record management
  • Procedure for internal audit
  • Procedure for corrective action
  • Procedure for preventive action
Records required by the main part of the standard are as follows:
  • Records related to effectiveness and/or performance of the ISMS
  • Records of management decisions
  • Records of significant security incidents
  • Records of training, skills, experience and qualifications
  • Results of internal audit
  • Results of management review
  • Results of corrective actions
  • Results of preventive actions
Documents for Annex A
This is where it gets confusing – ISO 27001 doesn’t require all the controls from Annex A to be implemented, and it doesn’t clearly indicate how each control should be documented. To learn how to determine which controls to implement, read this article: ISO 27001 risk assessment & treatment – 6 basic steps.
The documents that are mandatory in Annex A (providing that the control is applicable) are the following:
  • Information security policy
  • Inventory of assets
  • Rules for acceptable use of assets
  • Definition of roles and responsibilities
  • Operating procedures for information technology and communications management
  • Access control policy
  • List of relevant statutory, regulatory and contractual requirements
  • Records provided by third parties
  • Logs recording user activities, exceptions, events, etc.
And, here are the documents that are quite commonly used when implementing controls from Annex A, although they are not mandatory:
  • Classification policy
  • Change management policy
  • Backup policy
  • Disposal and destruction policy
  • Information exchange policy
  • Password policy
  • Clear desk and clear screen policy
  • Policy on use of network services
  • Mobile computing and teleworking policy
  • BYOD – Bring your own device policy
  • Incident management procedure
Which documents do you think should be used in ISO 27001 implementation?
Click here to download a white paper Checklist of ISO 27001 Mandatory Documentation with more detailed information on the most common ways for structuring and implementing mandatory documents and records.

0 komentar:

Posting Komentar

RSS FeedRSS Subscription!
Follow me!Follow me!

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | Best Web Hosting