Get 4 FREE months of Conformio to implement ISO 27001

Expert Advice Community

Guest

ISMS evidence

  Quote
Guest
Guest user Created:   Oct 18, 2021 Last commented:   Oct 18, 2021

ISMS evidence

As part of our support, I want to request some more explanation on the questions below related to ISO-27001:

Evidence of Communication Plan for Communications Related to the ISMS
Documented Management Review Process
Evidence of the Results of the Management Reviews 

Kindly provide more explanation about these requirements and what document templates maps to them .

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 18, 2021

About evidence of the Communication Plan for Communications Related to the ISMS, please note that ISO 27001:2013 requires you to define a communication process, although there is no requirement that such a process must be documented.

Considering that, communication is an activity that is performed by many processes in information security according to ISO 27001, with different purposes. So to have a centralized communication procedure would overhead people responsible for communication with activities that may not be a part of their attributions. That’s the reason there isn’t a specific template for clause 7.4.

The main documents in the toolkit that define how communication needs to be done are:

  • the Information Security Policy, located in folder 4 General Policies
  • the Training and Awareness plan, located in folder 9 Training and Awareness
  • the Incident Management Procedure, located in folder 8 Annex A Security Controls >> A.16 Information Security Incident Management
  • the Disaster Recovery Plan, located in folder 8 Annex A Security Controls >> A.17 Business Continuity

About evidence of Documented Management Review Process, there is no requirement that such a process must be documented. The rules defining interval and purpose for performing the management review are defined in the Information Security Policy, section 4.4. This template is located in folder 4 General Policies. 

About and Evidence of the Results of the Management Reviews, ISO 27001:2013 requires only the results of the management review to be documented, and for that, you can use the Management Review Minutes template, located in folder 11 Management Review.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 18, 2021

Oct 18, 2021

Suggested Topics