Expert Advice Community

Guest

Evidences of control implementation and training and awareness program

  Quote
Guest
Guest user Created:   Nov 24, 2016 Last commented:   Nov 24, 2016

Evidences of control implementation and training and awareness program

1 - What types of records of implementation are needed when implementing the required control?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Nov 24, 2016

Answer: In general, the information you have to gather to evidence a control implementation that is compliant with ISO 27001 is:

1. Risk treatment plan (clauses 6.1.3 e and 6.2), to evidence what was planned for the control implementation (e.g., policies, procedures, trainings, etc.). If the control being implemented is part of ISO 27001 Annex A, you have to be sure the mandatory documents defined there are included as deliverable of the plan
2. Records of training, skills, experience and qualifications (clause 7.2), to evidence that people performing the control are competent to do so
3. Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3), to provide information to be evaluated and trigger other related controls (e.g., incident response)
4. Monitoring and measurement results (clause 9.1), to evidence the control is actually working
5. Results of internal audits (clause 9.2), to evidence independent evaluati on of the implemented control
6. Results of the management review (clause 9.3), to evidence management follow-up of the risk treatment plan and the control results
7. Results of corrective actions (clause 10.1), to evidence improvement

Additionally, you should need to have all the records prescribed by your own documentation as well.

2 - For the training and awareness program, can people outside the organization or the unit for which ISMS is being undertaken attend?

Answer: Yes, they can - as long the awareness or training activities do not include confidential information or any other information the organization considers that cannot be shared with external people.

This article will provide you further explanation about ISO 27001 mandatory documentation and training:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- How to perform training & awareness for ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/05/19/how-to-perform-training-awareness-for-iso-27001-and-iso-22301/

These materials will also help you regarding ISO 27001 documentation ans training:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 23, 2016

Nov 23, 2016