Framework question
Assign topic to the user
Please note that ISO 27001 does not require clauses 4.1 (organizational context) and 4.2 (needs and expectations of interested parties) to be documented. This information is used to develop the ISMS scope and the Information Security Policy. You only need to explain how the context and interested parties influenced your scope and Information Security Policy.
Clauses 5.1 and 5.2 are covered by the Information Security Policy, located in folder 04 General Polices
Clause 5.3 is covered by all policies and procedures in the toolkit when job titles are required to be defined for specific activities.
For clause 6.2, you can use the Information Security Policy template (located in folder 04 General Policies), and Statement of Applicability template (located in folder 06 Applicability of Controls) to define the objectives for your ISMS and the Measurement Report template (located in folder 11 Management Review) to summarize the measurement methods, the frequency of measurement, and the results.
For clauses 7.1 and 9.1 you can use the Risk Treatment Plan to evidence the provision of resources and method for performance evaluation. Clause 9.1 is also covered in the Measurement document.
The main documents in the toolkit that cover clause 7.4 are:
the Information Security Policy, located in folder 4 General Policies
the Training and Awareness plan, located in folder 9 Training and Awareness
the Incident Management Procedure, located in folder 8 Annex A Security Controls >> A.16 Information Security Incident Management
the Disaster Recovery Plan, located in folder 8 Annex A Security Controls >> A.17 Business Continuity
Clause 9.3 is covered by the Management Review Minutes, which can be found in folder (located in folder 11 Management Review)
Regarding clause 10.2, continual improvement can be verified in all clauses from 4 to 10. Evidence for this clause can be shown by means of records related to changes in the environment, results of monitoring and measurement, or decision from management review, since these are the main sources of the need to improve processes, procedures, and controls.
In your toolkit, there is a List of documents files that can show you which clauses are covered by each document.
These materials will provide you a further explanation about evidencing requirements:
- How to demonstrate resource provision in ISO 27001 https://advisera.com/27001academy/blog/2017/04/10/how-to-demonstrate-resource-provision-in-iso-27001/
- Clause-by-clause explanation of ISO 27001 https://info.advisera.com/27001academy/free-download/clause-by-clause-explanation-of-iso-27001
Comment as guest or Sign in
Jun 02, 2022