ISO 27001 implementation

1 - I need to know if the documentation toolkit is inclusive of written policies and standards for implementation.

The A.12 Protection against Malware policy for example has the control objective of ensuring that detection, preventive and recovery controls should be implemented.

In my new organisation, the standards for implementing the Controls against Malware covers detection and prevention but makes no mention of recovery. Do I include recovery controls in the standard?

Answer: The ISO 27001 Documentation Toolkit contains all documents required by the standard (e.g., ISMS scope, ISMS policy, etc.), and also the most commonly used documents. This toolkit has been used with success by organizations all around the world for ISO 27001 implementation and certification.

Regarding control A.12.1 Controls against malware, it is covered by template IT Security Policy, which also covers all necessary controls to ensure malware detection and prevention, as well as recovery from a malware incident.

And regarding your question about the need to include recovery controls, you need to include rules for recovery because this is required by the standard.

To see how this IT Security Policy template looks like, as well as all other documents in the toolkit, please access this free demo at this link: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

For further information, see:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

2 - Also some policies overlap into different clauses i.e. A16 Information Security Incident Management and A17 Information Security Aspects of Business Continuity, should there be a single policy that is used to reference a similar control or there should be different policies relating to the same subject?

Answer: ISO 27001 does not prescribe how documents need to be put together, so both approaches are acceptable for certification purposes.

A common configuration is to have separate documents: one describing the general approach for all kinds of incidents (i.e., a procedure for incident management), and specific procedures for handling major incidents that can disrupt business operations (these are referred to in the general procedure for incident management).

This article will provide you a further explanation:
- How to handle incidents according to ISO 27001 A.16 https://advisera.com/27001academy/blog/2015/10/26/how-to-handle-incidents-according-to-iso-27001-a-16/
- Incidents in ISO 22301 vs. ISO 27001 vs. ISO 20000 vs. ISO 28003 https://advisera.com/27001academy/blog/2016/09/05/incidents-in-iso22301-vs-iso27001-vs-iso-20000-vs-iso28003/

Is an information security steering committee a key requirement for ISO 27001 implementation? If so, which of the policies covers that requirement?

ISO 27001 does not require an information security steering committee to be defined, only that information security responsibilities are defined (an information security steering committee is only one way to define management responsibilities).

The high-level information security responsibilities are defined in the Information Security Policies. Responsibilities on other levels are defined in supporting policies and procedures.

These articles will provide you a further explanation about the definition of responsibilities:

• Roles and responsibilities of top management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/06/09/roles-and-responsibilities-of-top-management-in-iso-27001-and-iso-22301/
• How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/

My new organisation are migrating to cloud and want to ensure cloud deployment is compliant with ISO 27001.

How do I go about ensuring compliance? Is it through policies? Which policies? I need your advice.

Unless you have requirements for specific cloud security controls, your information security implementation compliant with ISO 27001 follows the same steps as for a non-cloud environment:
getting management buy-in for the project;

1. defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding organizational context and requirements of interested parties;
2. development of risk assessment and treatment methodology;
3. perform a risk assessment and define the risk treatment plan;
4. controls implementation (e.g., policies and procedures documentation, acquisitions, etc.);
5. people training and awareness;
6. controls operation;
7. performance monitoring and measurement;
8. perform internal audit;
9. perform management critical review; and
10. address nonconformities, corrective actions, and opportunities for improvement.

Regarding your question about which policies, this will depend on the results of risk assessment and identified legal requirements.

For further information, see:

• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

This article will provide you a further explanation about ISMS implementation:

• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/ 

To see how documents compliant with ISO 27001 looks like, please take a look at the free demo of our ISO 27001 Documentation Toolkit: https://advisera.com/27001academy/iso-27001-documentation-toolkit/

These materials will also help you regarding the ISO 27001 implementation:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/