ISMS evidence

About evidence of the Communication Plan for Communications Related to the ISMS, please note that ISO 27001:2013 requires you to define a communication process, although there is no requirement that such a process must be documented.

Considering that, communication is an activity that is performed by many processes in information security according to ISO 27001, with different purposes. So to have a centralized communication procedure would overhead people responsible for communication with activities that may not be a part of their attributions. That’s the reason there isn’t a specific template for clause 7.4.

The main documents in the toolkit that define how communication needs to be done are:

• the Information Security Policy, located in folder 4 General Policies
• the Training and Awareness plan, located in folder 9 Training and Awareness
• the Incident Management Procedure, located in folder 8 Annex A Security Controls >> A.16 Information Security Incident Management
• the Disaster Recovery Plan, located in folder 8 Annex A Security Controls >> A.17 Business Continuity

About evidence of Documented Management Review Process, there is no requirement that such a process must be documented. The rules defining interval and purpose for performing the management review are defined in the Information Security Policy, section 4.4. This template is located in folder 4 General Policies. 

About and Evidence of the Results of the Management Reviews, ISO 27001:2013 requires only the results of the management review to be documented, and for that, you can use the Management Review Minutes template, located in folder 11 Management Review.