Bonus expert support worth $500
with the ISO 27001 Documentation Toolkit
Limited-time offer – ends June 30, 2022.

Expert Advice Community


Framework question

Guest user Created:   Jun 02, 2022 Last commented:   Jun 02, 2022

Framework question

One question to your framework. I have got a long agenda for the certification meeting. This is just a part of it: Top management •    Organizational context and needs and expectations of interested parties (4.1, 4.2) •    Strategic direction, policies (5.2) & objectives (6.2) •    Involvement and commitment from top management with respect to the management system (5.1) •    Roles, responsibilities, and authorities (5.3) •    Provision of resources (7.1) •    Human resource security (A7) •    Communications (internal/external) (7.4) •    Continual improvement (10.2) •    Performance evaluation (9.1) •    Management review (9.3) I have documented all the Annex A, but where is all the requirement like 4.1, 4.2 documented in your framework?

Assign topic to the user


Step-by-step implementation for smaller companies.


Step-by-step implementation for smaller companies.

Rhand Leal Jun 02, 2022

Please note that ISO 27001 does not require clauses 4.1 (organizational context) and 4.2 (needs and expectations of interested parties) to be documented. This information is used to develop the ISMS scope and the Information Security Policy. You only need to explain how the context and interested parties influenced your scope and Information Security Policy.

Clauses 5.1 and 5.2 are covered by the Information Security Policy, located in folder 04 General Polices

Clause 5.3 is covered by all policies and procedures in the toolkit when job titles are required to be defined for specific activities.

For clause 6.2, you can use the Information Security Policy template (located in folder 04 General Policies), and Statement of Applicability template (located in folder 06 Applicability of Controls) to define the objectives for your ISMS and the Measurement Report template (located in folder 11 Management Review) to summarize the measurement methods, the frequency of measurement, and the results. 

For clauses 7.1 and 9.1 you can use the Risk Treatment Plan to evidence the provision of resources and method for performance evaluation. Clause 9.1 is also covered in the Measurement document.

The main documents in the toolkit that cover clause 7.4 are:

the Information Security Policy, located in folder 4 General Policies
the Training and Awareness plan, located in folder 9 Training and Awareness
the Incident Management Procedure, located in folder 8 Annex A Security Controls >> A.16 Information Security Incident Management
the Disaster Recovery Plan, located in folder 8 Annex A Security Controls >> A.17 Business Continuity
Clause 9.3 is covered by the Management Review Minutes, which can be found in folder (located in folder 11 Management Review)

Regarding clause 10.2, continual improvement can be verified in all clauses from 4 to 10. Evidence for this clause can be shown by means of records related to changes in the environment, results of monitoring and measurement, or decision from management review, since these are the main sources of the need to improve processes, procedures, and controls.

In your toolkit, there is a List of documents files that can show you which clauses are covered by each document.

These materials will provide you a further explanation about evidencing requirements:
- How to demonstrate resource provision in ISO 27001 https://advisera.com/27001academy/blog/2017/04/10/how-to-demonstrate-resource-provision-in-iso-27001/
- Clause-by-clause explanation of ISO 27001 https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001

0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 02, 2022

Jun 02, 2022

Suggested Topics