Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

ISO 27001 & 22301 - Expert Advice Community

Guest

Guest

Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Identification of Requirements - level of detail?

    Hi I'm compiling my list of interested parties and their requirements for section 4.2 I have the list of legal/regulatory bodies etc which is very helpful, however I was wondering what level of detail I need to go into? For example, with the Data Protection Act, is it sufficient to include the general principles (e.g. "Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes."), or do I need to specifically include more specific requirements such as, e.g. "those involved in recruitment and selection are aware that data protection rules apply and that they must handle personal information with respect." It seems that if I go into that much detail, it becomes more of a control application than a scope document, so I'm not sure when to stop! Thanks
  • Obtain management support

  • ISO 27001 Lead Implementer / Lead Auditor

  • Technological vulnerabilities

  • Software developmnet within the company

    Our company sells software we develop ourselves. Development is done within a separate system and is managed by its own policies, procedures, and has its own set of (security) requirements. Do we need to include these policies, procedures and requirements into the ISMS? I prefer to exclude this from the ISMS scope, because we don’t use this software in our oown production environment and the  requirements are customer specific. Thanks.
  • Documents and procedures separately

  • Confidentiality level for the Business Continuity Policy

  • Justification in SoA

  • Procedure to become Lead Auditor

  • Clause 8.1 ISO 27001:2013