What kind of information is of external origin?

1. What kind of information about ISMS we may receive from outside? And to which units this information can be addressed?

Answer: You can receive all kinds of security communication and documents from regulatory body and from your partners and clients. This information could be addressed to your IT department, legal department, management board, etc.

2. We also ask you to clarify this item: "[job title] then classifies documents according to the Policy for handling classified information and determines to whom the document should be forwarded." Is it necessary to classify documents? What is the reason to classify documents if this documents will be stored by other units?

Answer: Classification of documents is specified in control A.8.2.1 - you have to apply this control if you marked this control as applicable in your Statement of Applicability, and you will mark it as applicable if there are (1) risks that would req uire such control to be implemented, and/or (2) if there are legal or contractual requirements. In most cases, when the documents are stored on the intranet, there are risks that someone unauthorized will see them - this is why classification is used; further, very often the regulatory body is requiring the classification to be implemented.

By the way, you can learn a lot about the document control, and all other requirements of ISO 27001 through our free online ISO 27001 Foundations course - I would recommend you register: https://advisera.com/training/iso-27001-foundations-course/