Extended controls documentation
Assign topic to the user
Please note that the ISO 27001 Documentation Toolkit you bought does not contain references to ISO 27018 clauses and controls.
Documents compliant with ISO 27018 can be found in the ISO 27001 & ISO 27017 & ISO 27018 Cloud Documentation Toolkit (https://advisera.com/27001academy/product-tour/#iso27001-iso27017-iso27018).
For further information, see:
- ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud https://advisera.com/27001academy/blog/2015/11/16/iso-27001-vs-iso-27018-standard-for-protecting-privacy-in-the-cloud/
Sorry we believe $997 is pricey and that list of documents is an overkill. FYI, we are an ISO27001 certified company since 2015 and already have the basics.
So, your team member Marko suggested these 23 documents:
- Procedure for Identification of Reqs
- Appendix 1 - List of Legal, Regulatory, Contractual and Other Requirements
- IS Policy
- Cloud Security Policy
- Policy for Data Privacy in the Cloud
- SoA
- Mobile Device & Teleworking Policy
- Confidentiality Statement
- Statement of Acceptance of ISMS Docs
- Assets Inventory
- Info Classification Policy
- Access Control Policy
- Password Policy
- Encryption Policy
- Disposal and Destruction Policy
- Security Procedures for IT Department
- Chg Mgmt Policy
- Backup Policy
- Secure Development Policy
- Appendix 1
- Supplier Security Policy
- Security Clauses for Clients, Suppliers and Partners
- Incident Management Procedure
- Appendix 3 – Internal Audit Checklist
Which is based on the Checklist PDF that Advisera developed.
This in turns, has pushed down the price tag to $582 only, which saves us budget. What do you think?
It is fine you use only the complementary document which covers the specifics of ISO 27017 and ISO 27018.
However, please be advised that these documents were made for companies that want to implement all 3 standards (ISO 27001, ISO 27017, and ISO 27018), and that ISO 27017 and ISO 27018 sections are not specifically marked in the text.
By the way, in case you do not need the Disposal and Destruction Policy, the Change Management Policy, and the Backup Policy as separate documents, you can skip those and use only the Security Procedures for the IT Department (the content of these policies is included in this template).
Comment as guest or Sign in
Jun 15, 2022