Guest user Created: Jan 12, 2016 Last commented: Jan 12, 2016

Do we need to document each control?

I have a question on the mandatory documents; does this means that, even if in the risk assessment step or building our SOA we find any control that are applicable to our company, we not necessarily have to document it? Or this mandatory documents are a complement to those documents you create from the risk assessment and SOA?

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 12, 2016

You do not need to document each control - otherwise you would end up with numerous documents which would become an overkill for you. For instance, you could choose backup as applicable control, and define in the SoA that you will perform backup every 24 hours, but you do not need to write a policy or a procedure for it.

Click here to see which documents are mandatory: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community