Documents implementation

1. As part of ISMS implementation, do we have to make all the Advisera Templates be read and understood by all the colleagues in the Organization after filling up the Templates or just only Information Security Policy Document?

First is important to note that not all templates need to be implemented, only those identified as mandatory by the standard, and those related to controls identified as applicable according risk assessment results need to be implemented (you can see which files are these in the List of Documents file included in your toolkit).

Considering that, individual people need to read only the documents that are relevant to them, i.e., all employees in the organization do not need to read all documents.

This article will provide you further information about documents to be implemented:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

2. In every doc, it is mentioned as “Users of this document are [job title].” So here should we mention the concerned approver or the Person e.g. (CISO or all the User in the Department).

Please note that for every time a doc mentions “Users of this document are [job title].” you need to identify the person(s) or role(s) which need to know the document to perform an information security related activity. So the information here will vary from case to case.

For example, for the Information Security Policy, all personnel in the scope are users of this document. For the backup policy, it can be restricted to IT staff, and the management review may be limited to top and senior management personnel.

This article will provide you further explanation about documenting responsibilities:
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/