We have acquired the ISO27001 Toolkit and started to fill out the documents.
Right from the first document (00_Verfahren_zur_Lenkung_von_Dokumenten_und_Aufzeichnungen_27001_EN) I have a question of understanding in Chapter 4. "Documents of external origin". Neither the standard nor the toolkit is clear enough for me what kind of documents it is "external documents". This is very important to us because we do not want to certify the entire company, but just a business unit. The secretariat/post office is not part of the scope and must be assigned an interface with the steering. That's why we want to spare ourselves something like an inbox register, or at least limit it to as few documents as possible.
After much internal discussion, we believe that these can only and exclusively be documents that are directly and directly related to the ISMS. So again to delineate clear: here is of documents and not records of the speech.
The standard says at this point:
"Documented information of external origin, which has been identified by the organization as necessary for the planning and operation of the ISMS must be appropriately identified and managed".
By planning and operating the ISMS we understand e.g. communication with the certification authority (sending the ISMS certificate) and any documents that are sent to us by authorities or lawyers and have a checking or changing an ISMS document result (legislative changes).
We are uncertain when handling customer and supplier orders. We are building the ISMS with the goal of making information security comprehensible to our customers in a single business area. From this point of view, the contracts with our customers and suppliers are the basis of our actions and the beginning of a relevant business process. But that's why such a contract would have to be regarded as a "record" and not as a "document". That We would not regulate this type of correspondence in the document handling document - external documents document but in the respective ISMS document (eg change management => recording of customer orders, invoices or supplier policy => recording supplier contracts), calculations, etc.)
Our actual question from this e-mail summarized again:
What type of documents must be included in the toolkit document "00" in the chapter "4. external origin "are mandatory to comply with the norm?