ISO 27001 documentation
Hi, I have a question regarding ISO 27001 documentation. Can I combine control docs together where it makes sense to do so or should they always be separate? For instance, I wish to put the individual user agreement, wireless user addendum, and mobile phone addendum under the same agreement? Is that allowed or perhaps bad practice? Thank you
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 does not prescribe how documentation must be elaborated, so organizations can develop them the way it best suits their needs.
The main criteria to decide to merge documents or not are if they have similar purposes and if by merging them they would not become a document too big to understand and read. So, in this particular case, if your single document does not become too big to use and manage it may be best to merge them, so you have fewer documents to manage in your ISMS.
These articles will provide you a further explanation about developing policies:
- One Information Security Policy, or several policies? https://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
Comment as guest or Sign in
Feb 24, 2020