Guidance on Missing ISMS Documentation and Implementation Drafts

1. We have the initial audit with external agencies to get the accreditation, and an agenda for the one-day assessment on November 21st has been sent to us. Please find the attached image which details the ISMS Document review. However, we are missing documents for Compliance, Operational Security, Communication, Development Security, Incident Processes, and Business Continuity Management. Could you please confirm if there are drafts available or advise on how to proceed, as I'm unable to locate them in the Conformio tool? Your guidance on this matter would be greatly appreciated.

Please note that a Compliance document is not required by the standard. In case control A.5.36, Compliance with policies, rules, and standards for information security is stated as Applicable in your SoA, the implementation method for this control is defined in the SoA document itself. If this control is not applicable to your organization, no document or activities related to compliance are required to be compliant with the standard. 

Business Continuity Management is not required by the standard. In case control A.5.29, A.5.30, or A.8.14 is stated as Applicable in your SoA, it is sufficient to implement the Disaster Recovery Plan to be compliant with the standard.   

A communication document is not required by the standard. Communication is an activity that is performed by many processes in information security according to ISO 27001, with different purposes. So, to have a centralized communication document would create an overhead for people responsible for communication with activities that may not be a part of their regular tasks.

That’s the reason there isn’t a specific template for clause 7.4.

The main documents in Conformio that define how communication needs to be done are:

• the Information Security Policy
• the Training Module
• the Incident Management Procedure
• the Disaster Recovery Plan

Additionally, most of the communication an organization performs is already registered through emails, Slack messages, etc. - so those can act as “registers.”

If you do want to create a separate Communication plan, then this article will provide you with further explanation about communication plan:

• How to create a Communication Plan according to ISO 27001 https://advisera.com/27001academy/blog/2014/10/27/how-to-create-a-communication-plan-according-to-iso-27001/

The remaining documents you mentioned are the ones as follow:

• Operational Security: Security Procedures for IT Department
• Development Security: Secure Development Policy
• Incident Processes: Incident Management Procedure

Please note that these documents will be available only if the controls that require their implementation are defined as applicable in the Statement of Applicability.

2. Additionally, for ISMS Implementation, there is a requirement for Design, Development & Test, and Facility and Asset Management. I have checked the documents, as well as the Conformio tool, but I couldn't find any drafts pertaining to these areas. Can you please advise on this?

The definition of Design, Development & Test activities are included in the Secure Development Policy.

Facilities and asset management are not commonly used documents for ISO 27001, so there aren’t specific drafts for them. In this case, you can use the blank template located in the Documents folder to create your documents.

In case you need assistance, you can schedule a meeting with one of our experts, who will help develop the documents. You can schedule a meeting here: https://advisera.com/consultations/