Assign topic to the user
I am sending this email to ask you about the changes in ISMS Manual based on ISO 27001:2013 version. We've a developed ISMS manual based on 2005 version but now migrating to 2013.
Q1: Is it required to modify the whole ISMS manual as the requirements in ISO 27001:2013 version are quite different than ISO 27001:2005 (e.g. 2005 version is developed using the PDCA approach but 2013 doesn't talk anything about it, though we're using the same approach).
Q2: Do we need to update the manual using the same chapter names as in 2013.
Answer:
Point Q1: The ISO 27001 Manual really is not necessary, I mean, it is not a mandatory document. You can see all mandatory document at this article List of mandatory documents required by ISO 27001 (2013 revision) : https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
This article can be also interesting for you Is the ISO 27001 Manual really necessary? : https://advisera.com/27001academy/blog/2014/02/03/is-the-iso-27001-manual-really-necessary/
About your question related to the PDCA, it is not expressly displayed in the standard, but it is on it. Please read this article Has the PDCA Cycle been removed from the new ISO standards? : https://advisera.com/27001academy/blog/2014/04/13/has-the-pdca-cycle-been-removed-from-the-new-iso-standards/
Point Q2: Although the Manual is not mandatory, you can maintain it if you want. In this case, I think that the right way is to adapt it to the structure of the new standard (see the clauses in the article above)
Comment as guest or Sign in
Jan 12, 2016