Save 20% on accredited ISO 27001 course exams.
Limited-time offer – ends July 18, 2024
Use promo code:
EXAM20

Expert Advice Community

Guest

ISO 27001:2022 mandatory documents and records

  Quote
Guest
Guest user Created:   Feb 24, 2023 Last commented:   Feb 24, 2023

ISO 27001:2022 mandatory documents and records

I have bought your toolkit in the past and am preparing a ISO27001 2022 implementation and certification.

 I want to get a clear picture of which documents and records are mandatory.
 
1 - I have read your webpage article on: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-revision
and the content of “List_of_documents_ISO_27001_2022_Documentation_Toolkit_EN.pdf”.  If I understand it correctly they both relate to ISO 27001 2022. Correct?

2 - Can you explain to me why i.e information classification policy, confidentiality statement, training and awareness are mentioned as mandatory in the PDF file and is NOT listed as mandatory on the webpage?

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Feb 24, 2023

1 - I have read your webpage article on: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-revision
and the content of “List_of_documents_ISO_27001_2022_Documentation_Toolkit_EN.pdf”.  If I understand it correctly they both relate to ISO 27001 2022. Correct?

Your understanding is correct. Both the article and the file are related to the current ISO 27001:2022.

2 - Can you explain to me why i.e information classification policy, confidentiality statement, training and awareness are mentioned as mandatory in the PDF file and is NOT listed as mandatory on the webpage?

First is important to note that the article focuses on controls that require documentation, and the List of documents focuses on which documents cover which controls.

Considering that, no control requires an Information Classification Policy to be documented (that’s why it is not mentioned in the article), but since the Information Classification Policy in the toolkit covers control A.5.10 (Acceptable use of information and other associated assets), and this control requires documentation, then the Information Classification Policy needs to be documented in case the control A.5.10 is applicable.  

Regarding the Confidentiality Statement, it is one example of a document related to the “Definition of security roles and responsibilities”, which in the article is implemented by means of “Agreements, NDAs, and specifying responsibilities in each security policy and procedure”.

As for the Training and Awareness Plan, it is one example of a record related to “Training, skills, experience, and qualifications”.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 24, 2023

Feb 24, 2023

Suggested Topics

Guest user Created:   Jun 10, 2024 ISO 27001 & 22301
Replies: 1
0 0

Non-mandatory documents

Brad Created:   Apr 22, 2024 ISO 27001 & 22301
Replies: 1
0 0

Custom Edit Documents

Ash Created:   Jan 21, 2024 ISO 27001 & 22301
Replies: 1
0 1

ISO 27001 Internal Audits