ISMS 27001 processes

1- I am in the process of setting up the ISMS with your tool kit. What I miss (or haven't found) the processes (structure) for change management or patch management.

To be compliant with ISO 27001 you only need a Change Management Policy, which can be found in folder 08 Annex A Security Controls >> A.12 Operations Security

For an optional more robust documentation (this is not required for ISO 27001), please take a look at this toolkit:

• ITSM Change Management Toolkit https://advisera.com/20000academy/itsm-change-management-toolkit/

It is designed for compliance with ISO 20000, but can be adjusted to be used with ISO 27001. IT covers the following documents:

• Request for Change and Change Record- Minutes of Meeting CAB
• Change Schedule
• Change Management Process
• Change Management Policy

For further information, see:

• An overview of the ITIL Change Management Process [free webinar on demand] https://advisera.com/20000academy/webinar/an-overview-of-the-itil-change-management-process-free-webinar-on-demand/
• How to manage changes in an ISMS according to ISO 27001 A.12.1.2 https://advisera.com/27001academy/blog/2015/09/14/how-to-manage-changes-in-an-isms-according-to-iso-27001-a-12-1-2/

2 - As well as the subdivision into management, core and support processes. This is required for the process landscape.

Regarding processes classification, ISO 27001 does not require processes to be mapped. It is not generally required for the toolkit implementation (for that you only need to implement the documentation in the order they are presented in the toolkit’s folders).

In a general manner, you can consider this classification:

• management processes: management review
• core processes: risk management, security operations, processes monitoring
• supporting processes: document and record management, internal audit