Expert Advice Community

Home / ISO 27001 & 22301 / ISO 27001 records of implementation

Guest

ISO 27001 records of implementation

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Nov 26, 2016 Last commented:   Nov 26, 2016

ISO 27001 records of implementation

ISO 27001 & 22301
Can I conclude that among the following comprehensive list the Risk treatment plan is the evidence of “Records of implementation” when implementing the required controls?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Rhand Leal Nov 26, 2016

1. Risk treatment plan (clauses 6.1.3 e and 6.2) to evidence what was planned for the control implementation (e.g., policies, procedures, trainings, etc.).
2. Records of training, skills, experience and qualifications (clause 7.2), to evidence that people performing the control are competent to do so
3. Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3), to provide information to be evaluated and trigger other related controls (e.g., incident response)
4. Monitoring and measurement results (clause 9.1), to evidence the control is actually working
5. Results of internal audits (clause 9.2), to evidence independent evaluation on of the implemented control
6. Results of the management review (clause 9.3), to evidence management follow-up of the risk treatment plan and the control results
7. Results of corrective actions (clau se 10.1), to evidence improvement

Answer: The risk treatment plan evidences only that you made a plan to implement controls. You will need all the other listed information to evidence the controls are actually in place, operating and being followed up properly, and that information will be spread in many areas of you organization (e.g., HR, operations, top management, etc.). You can think of the risk treatment plan as the source you will consult to where to find all the "records of implementation".

This article will provide you further explanation about what to consider as evidences of implementation:
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

These materials will also help you regarding evidences of implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 26, 2016

Nov 26, 2016

Suggested Topics
Guest user Created:   Feb 24, 2023 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001:2022 mandatory documents and records
Guest user Created:   Apr 27, 2022 ISO 27001 & 22301
Replies: 1
0 0

ISO 27001 Certification Data
Guest user Created:   Sep 24, 2021 ISO 27001 & 22301
Replies: 1
0 0

Documentation of requirements