ISO 27001 & 22301 - Expert Advice Community

Mandatory documents or not

We have bought your tool kit for implementation ISO27001:2013 and I’ve used the summary enclosed in this mail as guidelines to what we need to implement as we are on a very tight timeline.

Yesterday I was in a meeting with a consultant that we have hired to prepare us for the upcoming certification process. He then asked why I had not produced documents according to the demands in the Annex to which I replied that they are not mandatory to the certification.

He did not agree. My instructions to him has been that we need to apply the least amount of documentation to implement new routines and at the same time get certified. It is our absolute goal to fulfil and implement all requirements but we have to take it slow as I have another fulltime job at our company. I’ve taken on this job as it is often a requirement from my customers and we need to have the certification asap. It is however agreed that we also need the policies and instructions to live by but the further job of implementing och create new ways to get our job done will not be led by me but by a newly recruited CISO (has not yet started).

I’m sorry for the long mail, but I need clarification to this question. We have now 4 weeks left to the pre revision and I must know if I have to make sure that all documentation is produced. I have implemented a lot, and initiated other changes, but the documents are not ready, neither is the implementation completed because I thought I had more time. I would therefore very much like to hear your opinion on the matter. 

Examples (not a complete list) that are not mandatory according to your overview is;

A.8.3 Information Classification Policy

A.11.1 Clear Desk and Clear Screen Policy (Note: it may be implemented as part of IT Security Policy)

A.13 Information Transfer Policy (Note: it may be implemented as part of Security Procedures for IT Department)

A.17.2 Business Impact Analysis Methodology

Question about eBook

Last week, I bought “ (eBook) Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own”.

Is there a supplementary document to describe the impact that ISO 27001:2022, has on the ebook?

Register of external correspondence

I'm finalizing the procedure for document control and a little bit confused about the section regard external correspondence. It suggests we need a register to document external correspondence, but what does this entail? We currently don't have a process for this.

Is the expectation that any document we receive externally (via email or physically) needs to be documented? If not, what examples of documents would we need to take note of?

Annual Audit Program

Hi Dejan! I'm been watching your videos on Advisera and planning to take the exam. I was wonder under the Annual Audit Programme you said that companies can define their audit criteria? I was wondering from an external audit perspective, wouldn’t the audit compulsorily look at The standard, internal policies and procedure, legislation requirements and Interested parties requirements?

Is there room to say the audit criteria can be scoped to just the standard and not the internal policies etc?

Energy Management

We are an energy utility company and are seeking to implement ISO 27001:2022 throughout our business units. We also came across ISO 27019:2020 and there some additional controls specifically for energy utility company. Do we need to add these controls in our SOA? If so, how will we insert it? Thank you!

How to treat risk with own control?

Can you please tell me how we can treat a risk in the risk register with an own security control (not one of the controls of Annex A)?