left-svg
Bonus expert support worth $500
with the ISO 27001 Documentation Toolkit
Limited-time offer – ends June 30, 2022.
right-svg

Expert Advice Community

Guest

Non-conformities

  Quote
Guest
Guest user Created:   Jun 21, 2022 Last commented:   Jun 21, 2022

Non-conformities

Hi Dejan, I wanted to ask you about documented information for the ISO 27001 Clauses 4.2 and 4.4. For the Clause 4.2, our external auditor requires us to have a document containing all needs and expectation of interested parties. My understanding is that there’s no standard requirement to have this information gathered in one document. We have evidence of those requirements recorded in various other documents. Would you consider this a major nonconformity? Please see attached the document version we currently have in place, Compliance_Requirements.pdf. For the Clause 4.4., our external auditor requires us to have a documented ISMS Manual that includes references and implementation details for all Clauses 4 to 10. My understanding is that there’s no standard requirement for an ISMS Manual document. Would you consider this a major nonconformity? Please see attached the document version we currently have in place, ISMS_Manual.pdf. Thank you for your help.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 21, 2022
1. For the Clause 4.2, our external auditor requires us to have a document containing all needs and expectation of interested parties.My understanding is that there’s no standard requirement to have this information gathered in one document. We have evidence of those requirements recorded in various other documents.Would you consider this a major nonconformity?

Answer: The lack of this single document would not be considered a nonconformity for ISO 27001, because clause 4.2 of this standard does not require the needs and expectations of interested parties to be documented.


2. For the Clause 4.4., our external auditor requires us to have a documented ISMS Manual that includes references and implementation details for all Clauses 4 to 10.
My understanding is that there’s no standard requirement for an ISMS Manual document.

Would you consider this a major nonconformity?

Answer:  The lack of an ISMS manual would not be considered a nonconformity for ISO 27001, because clause 4.4 of this standard does not require such a manual to be documented.

Documents and records mandatory to fulfill clauses from the main sections of the standard (sections 4 to 10) are:  
- Scope of the ISMS (clause 4.3)
- Information security policy and objectives (clauses 5.2 and 6.2)
- Risk assessment and risk treatment methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (clause 8.2)
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)

For further information, see:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 21, 2022

Jun 21, 2022