Expert Advice Community

Guest

Contradiction in reading material

  Quote
Guest
Guest user Created:   Feb 24, 2021 Last commented:   Feb 24, 2021

Contradiction in reading material

I'm finding a contradiction. In the article Practical use of corrective actions for ISO 27001 and ISO 22301, it says under Required Documents that that a procedure must be documented. But further down, it says that it is not mandatory. Which is it?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Feb 24, 2021

First of all, thanks for the feedback.

Please note that this article was written according to the old 2005 revision of ISO 27001, and for this version the Corrective Action Procedure was mandatory. In the current 2013 version of ISO 27001 the Corrective Action Procedure is not mandatory. We apologize for this confusion and will work ASAP to update the article.

In ISO world, mandatory requirements/documents are related to the words “must” or “shall”, while non mandatory requirements/documents are related to words “may”or “should”. Documents and records mandatory to fulfill clauses from the main sections of the standard (sections 4 to 10) are:
- Scope of the ISMS (clause 4.3)
- Information security policy and objectives (clauses 5.2 and 6.2)
- Risk assessment and risk treatment methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (clause 8.2)
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)

Regarding the Corrective Action Procedure, it is documented in most cases because it is considered a good practice (it helps new employees to understand faster and easier how to handle corrective actions).

These articles can be helpful for you:
- Explanation of the basic terminology in ISO standards https://advisera.com/27001academy/blog/2015/01/12/explanation-of-the-basic-terminology-in-iso-standards/
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 23, 2021

Feb 23, 2021