Guest user Created: Mar 14, 2019 Last commented: Mar 14, 2019

Documenting controls

In 27001:2013 Annex A.9.4.2 - It states that there must be a secure log on procedure as dictated by the Access Control Policy. If my secure log-on procedure is captured in a "policy" document instead of a "procedure" typ document - is that wrong?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Mar 14, 2019

Answer:

First lets understand the differences between these documents. Normally policies define general guidelines (what must be done), while procedures are more specific (defining how to perform an activity), but it is not mandatory that your documentation is divided in such way.

Considering that, if your "policy" fulfills requirements from Annex A control A.9.4.2 this is compliant with ISO 27001 and will be acceptable for certification audit.

These articles will provide you further explanation about documenting controls:
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/
- How detailed should the ISO 27001 documents be? https://advisera.com/27001academy/blog/2014/09/ 22/detailed-iso-27001-documents/

These materials will also help you regarding documentation:
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Mar 14, 2019

Expert Advice Community