Documentation request
We got a peculiar request from a customer. Although we are ISO27001 certified a customer is insisting that we provide a full list, the following documents.
It is the first time we are asked of this, and I was curious if you came across it in the past and have any ideas on how to proceed.
Thank you
· Context of Organisation
· ISMS Scope
· ISMG Governance
· External & Internal Issues and Interested Parties
· Risk Assessment and Treatment Methodology
· ISMS Risk Assessment: Asset Register and Risk Treatment Plan
· Information Security Policy
· Training Matrix
· ISO 27001 Training & Awareness Schedule
· Information Classification and Handling Policy
· Monitoring and Logging Policy
· Corrective Action Register
· Access Control Policy
· Acceptable Use Policy
· Production of Software Policy
· IT Procurement and Third Party Security Policy
· Incident management policy
· Intellectual Property Policy
Assign topic to the user
Please note that only some of these documents are mandatory for an ISO 27001 certified organization (e.g., ISMS scope, and the Information Security Policy), while others will depend if you have implemented some specific controls (e.g., control A.9.1.1 – Access Control Policy requires an Access Control Policy to be documented), and others are not needed at all (e.g., Context of organization, ISMG Governance and Training Matrix).
For a list of mandatory documents for ISO 27001-certified companies, please see:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
Considering that, unless this request from the customer is based on a contract or service agreement you have with that company, you do not need to have the documents not required by the main clauses of the standard, or by specific controls you implemented.
You have to consider how important this customer is to you and based on this, decide if you will write these documents.
Regarding the mandatory documents, you should sign an NDA with the customer before providing the documents.
Comment as guest or Sign in
Oct 07, 2022