I'd like to see a few docs with you that I am in need of but couldn't find. Please find the list below.
- Policy on the use of encryption
- Operating procedures for IT management
- Secure system engineering principles
- Business continuity procedure
- Cloud Security policy
- Policy for data privacy in the cloud
- Statement of acceptance of ISMS document
I got this list from a doc of yours called "List_of_documents_ISO_27001_ISO_27017_ISO_27018_Cloud-EN.pdf", and most of them are mandatory for the ISMS from 27001 and a couple of them for 27017/27018. All the other docs I needed I was able to find in the platform.
If you can help me with that would be great.
Please note that only the documents from ISO 27001 Documentation Toolkit are included in Conformio.
Considering that, documents “Cloud Security policy” and “Policy for data privacy in the cloud” are not available in Conformio.
Regarding the other documents you mentioned, they will appear automatically in the Step-by-step wizard once the List of Legal Requirements, Risk Register, Statement of Applicability and Risk Treatment Plan are completed. Two observations are important: - The "Secure system engineering principles” is not a document but a control, which is covered in the “Secure Development Policy”. - The “Business continuity procedure” is not required by ISO 27001, to cover continuity of information security it is enough to have the “Disaster recovery plan”.
First thanks for the platform, it really makes a difference when implementing the ISO 27001.
As I was explaining to Aleksandra, it is my first time implementing the 27k, however I've done the 9k, 14k and 18k a few times.
Here we are aiming to certificate the 01, 17 and 18 as I mentioned before, and yesterday I had the chance to see the 17 and 18 for the first time, I know what is the idea behind them, but now I am not 100% sure about what controls/policies I should implement and worry about.
From 27017/18 (controls with implementation guide) and Annex A of 27017/18 my question is, can I skip most/few of them, or should I implement everything, or the one I think is the right one, just the ones applicable to the company's scope.
This question came after I saw the Annex A from 17 and 18. Not sure how to deal with them now.
First is important to note that unless you have specific requirements demanding the use of ISO 27017 and ISO 27018 (e.g., laws, regulations, or contracts), controls available in ISO 27001 are sufficient to cover cloud security.
Considering that, please note that the application of ISO 27017 and ISO 27018 controls follow the same principles as for ISO 27001: controls are selected according to the results of risk assessment, applicable legal requirements, or as a top management decision.
As a result, to be compliant with ISO 27001 when using ISO 27017 and ISO 27018:
you need to implement controls identified as needed to treat relevant risks and defined by legal requirements
you can skip controls for which you do not have legal requirements or not have relevant risks demanding their implementation
you can implement the ones top management considers as a good practice.
This article will provide you a further explanation about controls selection: