ISO 27001 records of implementation
Assign topic to the user
1. Risk treatment plan (clauses 6.1.3 e and 6.2) to evidence what was planned for the control implementation (e.g., policies, procedures, trainings, etc.).
2. Records of training, skills, experience and qualifications (clause 7.2), to evidence that people performing the control are competent to do so
3. Logs of user activities, exceptions, and security events (clauses A.12.4.1 and A.12.4.3), to provide information to be evaluated and trigger other related controls (e.g., incident response)
4. Monitoring and measurement results (clause 9.1), to evidence the control is actually working
5. Results of internal audits (clause 9.2), to evidence independent evaluation on of the implemented control
6. Results of the management review (clause 9.3), to evidence management follow-up of the risk treatment plan and the control results
7. Results of corrective actions (clau se 10.1), to evidence improvement
Answer: The risk treatment plan evidences only that you made a plan to implement controls. You will need all the other listed information to evidence the controls are actually in place, operating and being followed up properly, and that information will be spread in many areas of you organization (e.g., HR, operations, top management, etc.). You can think of the risk treatment plan as the source you will consult to where to find all the "records of implementation".
This article will provide you further explanation about what to consider as evidences of implementation:
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
These materials will also help you regarding evidences of implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Nov 26, 2016