Expert Advice Community

Guest

Documentation request

  Quote
Guest
Guest user Created:   Oct 07, 2022 Last commented:   Oct 07, 2022

Documentation request

We got a peculiar request from a customer. Although we are ISO27001 certified a customer is insisting that we provide a full list, the following documents.

It is the first time we are asked of this, and I was curious if you came across it in the past and have any ideas on how to proceed.

Thank you

·  Context of Organisation

·  ISMS Scope

·  ISMG Governance

·  External & Internal Issues and Interested Parties

·  Risk Assessment and Treatment Methodology

·  ISMS Risk Assessment: Asset Register and Risk Treatment Plan

·  Information Security Policy

·  Training Matrix

·  ISO 27001 Training & Awareness Schedule

·  Information Classification and Handling Policy

·  Monitoring and Logging Policy

·  Corrective Action Register

·  Access Control Policy

·  Acceptable Use Policy

·  Production of Software Policy

·  IT Procurement and Third Party Security Policy

·  Incident management policy

·  Intellectual Property Policy

0 0

Assign topic to the user

ISO 22301 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 22301 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 07, 2022

Please note that only some of these documents are mandatory for an ISO 27001 certified organization (e.g., ISMS scope, and the Information Security Policy), while others will depend if you have implemented some specific controls (e.g., control A.9.1.1 – Access Control Policy requires an Access Control Policy to be documented), and others are not needed at all (e.g., Context of organization, ISMG Governance and Training Matrix).

For a list of mandatory documents for ISO 27001-certified companies, please see:

Considering that, unless this request from the customer is based on a contract or service agreement you have with that company, you do not need to have the documents not required by the main clauses of the standard, or by specific controls you implemented.

You have to consider how important this customer is to you and based on this, decide if you will write these documents.

Regarding the mandatory documents, you should sign an NDA with the customer before providing the documents.

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Oct 07, 2022

Oct 07, 2022