ISO 27001:2022 mandatory documents and records
I have bought your toolkit in the past and am preparing a ISO27001 2022 implementation and certification.
I want to get a clear picture of which documents and records are mandatory.
1 - I have read your webpage article on: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-revision
and the content of “List_of_documents_ISO_27001_2022_Documentation_Toolkit_EN.pdf”. If I understand it correctly they both relate to ISO 27001 2022. Correct?
2 - Can you explain to me why i.e information classification policy, confidentiality statement, training and awareness are mentioned as mandatory in the PDF file and is NOT listed as mandatory on the webpage?
Assign topic to the user
1 - I have read your webpage article on: https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-revision
and the content of “List_of_documents_ISO_27001_2022_Documentation_Toolkit_EN.pdf”. If I understand it correctly they both relate to ISO 27001 2022. Correct?
Your understanding is correct. Both the article and the file are related to the current ISO 27001:2022.
2 - Can you explain to me why i.e information classification policy, confidentiality statement, training and awareness are mentioned as mandatory in the PDF file and is NOT listed as mandatory on the webpage?
First is important to note that the article focuses on controls that require documentation, and the List of documents focuses on which documents cover which controls.
Considering that, no control requires an Information Classification Policy to be documented (that’s why it is not mentioned in the article), but since the Information Classification Policy in the toolkit covers control A.5.10 (Acceptable use of information and other associated assets), and this control requires documentation, then the Information Classification Policy needs to be documented in case the control A.5.10 is applicable.
Regarding the Confidentiality Statement, it is one example of a document related to the “Definition of security roles and responsibilities”, which in the article is implemented by means of “Agreements, NDAs, and specifying responsibilities in each security policy and procedure”.
As for the Training and Awareness Plan, it is one example of a record related to “Training, skills, experience, and qualifications”.
Comment as guest or Sign in
Feb 24, 2023