ISO 27001 documents

Advisera's ISO 27001 Documentation Toolkit does not have a document for each and every control from ISO 27001 because of the following reasons:

1. ISO 27001 does not require each and every control to be documented
2. If the toolkit had a document for each control, there would be too many documents, and this would be an overkill for smaller and mid-size companies.
   Since our target are SMEs, we have decided to include an optimum amount of documents for companies of this size - the toolkit includes:

All the mandatory documents - e.g., Information Security Policy, Statement of Applicability, Risk Assessment Methodology, Access Control Policy, etc.
Documents that are not mandatory, but are commonly used - e.g., BYOD Policy, Classification Policy, Password Policy, Backup Policy, etc.
Regarding the controls you mentioned:
A7.3 (Termination and change of employment): the implementation of this control usually only requires some adjustments to practices that are normally performed by Human Resources.
A9.3 (User responsibilities): This control is documented in the template IT Security Policy, located in folder 08 Annex A Security Controls >> A.8 Asset Management
A9.4 (System and application access control): Controls from this section are documented in the templates Information Classification Policy, located in folder 08 Annex A Security Controls >> A.8 Asset Management, and Access Control Policy, located in folder 08 Annex A Security Controls >> A.9 Access Control Policy
A12.4 (Logging and monitoring): Controls from this section are documented in the Security Procedures for IT Department, located in folder 08 Annex A Security Controls >> A.12 Operations Security
A12.5 (Control of operational software): This control is documented in the IT Security Policy, located in folder 08 Annex A Security Controls >> A.8 Asset Management
A12.6 (Technical vulnerability management): Controls from this section are documented in the IT Security Policy, located in folder 08 Annex A Security Controls >> A.8 Asset Management
A12.7 (Information systems audit considerations): This is not a commonly implemented control.  
A13.2 (Information transfer): Controls from this section are documented in the Bring Your Own Device (BYOD) Policy, located in folder 08 Annex A Security Controls >> A.6 Organization of Information Security, Confidentiality Statement, located in folder 08 Annex A Security Controls >> A.7 Human Resource Security, IT Security Policy, located in folder 08 Annex A Security Controls >> A.8 Asset Management, Information Classification Policy, located in folder 08 Annex A Security Controls >> A.8 Asset Management, Security Procedures for IT Department, located in folder 08 Annex A Security Controls >> A.12 Operations Security

A14.2 (Security in development and support processes): Controls from this section are documented in the Security Procedures for IT Department, located in folder 08 Annex A Security Controls >> A.12 Operations Security, Secure Development Policy, located in folder 08 Annex A Security Controls >> A.14 System acquisition, development, and maintenance, Supplier Security Policy, located in folder 08 Annex A Security Controls >> A.15 Supplier relationships

A14.3 (Test data): This control is documented in the Secure Development Policy, located in folder 08 Annex A Security Controls >> A.14 System acquisition, development, and maintenance
A17.2 (Redundancies): This is not a commonly implemented control.
A18.1 (Compliance with legal and contractual requirements): Controls from this section are documented in the Procedure for Identification of Requirements, located in folder 02 Identification of Requirements

A18.2 (Information security reviews): This is not a commonly implemented control.

By the way, included in your toolkit you ha a List of documents file that can show you which clauses and controls are covered by each template.

Many thanks for the response.   I do have an immediate question and would greatly appreciate if you could advise the following:

Industry: software developer. 

A12.6 (Technical vulnerability management): Does the company need to conduct VAPT for every software that they develop?  If so, how often?  If not, how do they decide which software needs VAPT?

ISO 27001 does not prescribe that you need to perform a Vulnerability Assessment and Penetration Test on every developed software.

The decision about which developed software should undergo Vulnerability Assessment and Penetration Test, and how often perform VAPT is based on the results of risk assessment and applicable legal requirements (e.g., laws, regulations, or contracts).

These articles will provide you a further explanation about penetration test and vulnerability assessment:

• How to use penetration testing for ISO 27001 A.12.6.1 https://advisera.com/27001academy/blog/2016/01/18/how-to-use-penetration-testing-for-iso-27001-a-12-6-1/
• How to manage technical vulnerabilities according to ISO 27001 control A.12.6.1 https://advisera.com/27001academy/blog/2015/10/12/how-to-manage-technical-vulnerabilities-according-to-iso-27001-control-a-12-6-1/

In order to show evidence that ISMS has been implemented, must we show a minimum period of implementation?  For example, 3 months?  What will the external auditor look out for in terms of actual implementation of the ISMS for ISO27001 certification?  Please advise.

1 - In order to show evidence that ISMS has been implemented, must we show a minimum period of implementation?  For example, 3 months?

This is different from one certification body to the other - some require you to have ISMS in full operation for at least 3 months, while others do not have such criteria. The best would be if you ask for proposals from a couple of certification bodies, and ask them this specific question.

These articles may also help you:

• How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
• Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/

2 - What will the external auditor look out for in terms of actual implementation of the ISMS for ISO27001 certification?  Please advise.

The certification auditor will look for all documents and records stated as mandatory by the standard, and those considered applicable by the organization (e.g., policies and procedures related to applied controls).

In the ISO world, mandatory requirements/documents are related to the words “must” or “shall”, while non-mandatory requirements/documents are related to the words “may” or “should”.

Documents and records mandatory to fulfill clauses from the main sections of the standard (sections 4 to 10) are:

• Scope of the ISMS (clause 4.3)
• Information security policy and objectives (clauses 5.2 and 6.2)
• Risk assessment and risk treatment methodology (clause 6.1.2)
• Statement of Applicability (clause 6.1.3 d)
• Risk treatment plan (clauses 6.1.3 e and 6.2)
• Risk assessment report (clause 8.2)
• Records of training, skills, experience, and qualifications (clause 7.2)
• Monitoring and measurement results (clause 9.1)
• Internal audit program (clause 9.2)
• Results of internal audits (clause 9.2)
• Results of the management review (clause 9.3)
• Results of corrective actions (clause 10.1)

These articles will provide you a further explanation about documents required for certification and the certification audit:

• List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

These materials will also help you regarding the certification process:

• Preparing for ISO Certification Audit: A Plain English Guide https://advisera.com/books/preparing-for-iso-certification-audit-plain-english-guide/
• ISO 27001/ISO 22301: The certification process [free webinar] https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/