Do we need to document each control?
Assign topic to the user
You do not need to document each control - otherwise you would end up with numerous documents which would become an overkill for you. For instance, you could choose backup as applicable control, and define in the SoA that you will perform backup every 24 hours, but you do not need to write a policy or a procedure for it.
Click here to see which documents are mandatory: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Comment as guest or Sign in
Jan 12, 2016