Expert Advice Community

Guest

External Documents and the acceptable handling thereof

  Quote
Guest
Guest user Created:   Apr 09, 2021 Last commented:   Apr 09, 2021

External Documents and the acceptable handling thereof

thank you for your reply and your colleagues comments.

I am still unsure about the external Documents and the acceptable handling thereof.

External Documents: 

Our Servicedesk registers documents within its tracking system.

Do I need to keep an explicit record or may I argue that I can request any registered document from our Servicedesk? 

I require advice which external  documents are required for the ISMS. Your colleague wrote:

“Examples of external documents are laws and regulations you need to comply with, documentation sent by your customers or suppliers, etc.

The identification of such documents can be made during identification of ISMS requirements and risk assessment.” 

The only external documents that we identified as pertaining to our ISMS might be the auditors reports and certificates.

Which “identification of ISMS requirements and risk assessment.” Is your colleague referring to?

I leave my questions at that,

I am looking forward to some clarification and will  continue from that.

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 09, 2021

1 - Do I need to keep an explicit record, or may I argue that I can request any registered document from our Service desk? 
I require advice which external documents are required for the ISMS. Your colleague wrote:
“Examples of external documents are laws and regulations you need to comply with, documentation sent by your customers or suppliers, etc.
The identification of such documents can be made during identification of ISMS requirements and risk assessment.” 
The only external documents that we identified as pertaining to our ISMS might be the auditors reports and certificates.

Answer: Please note that if you can ensure the availability of registered documents stored in your Service Desk you do not need to keep a record on your own.

2 - Which “identification of ISMS requirements and risk assessment.” Is your colleague referring to?

I leave my questions at that. I am looking forward to some clarification and will continue from that.

Answer: Please note that “identification of ISMS requirements and risk assessment” are mandatory steps in the implementation of your ISO 27001 ISMS, and during these steps, you can identify needs to keep specific records.

For example, when identifying ISMS requirements, you may find that you need to comply with a law (e.g., EU GDPR), and for that, you need to keep some records (e.g., user consent for data processing). Additionally, during risk assessment, for the controls you find applicable, you will need to identify records to be kept for evidencing controls implementation (e.g., backup test report).

For further information, see:
- ISO 27001 implementation checklist https://advisera.com/27001academy/01academy/emy/ademy/my/knowledgebase/iso-27001-implementation-checklist/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 09, 2021

Apr 09, 2021

Suggested Topics