Hi, do we have to have separate documents for 4.1, 4.2, 4.3, 5.1,5.2,5.3 or can this all be one big document with an index?
Assign topic to the user
First is important to note that only clauses 4.3 and 5.2 require documents to be written.
Considering that, ISO 27001 does not prescribe how to document information, so organizations are free to document information as they see fit.
For example, the ISMS Scope (clause 4.3), and the Information Security Policy (clause 5.2) can be written as a single document.
Regarding clause 5.3, normally roles and responsibilities are written in the own documents describing the activities to be performed. We do not recommend documenting all responsibilities in a single document, because it will become too big and complex to read and maintain.
These articles will provide you a further explanation about documentation:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/
- How to document roles and responsibilities according to ISO 27001 https://advisera.com/27001academy/blog/2016/06/20/how-to-document-roles-and-responsibilities-according-to-iso-27001/
These materials will also help you regarding documentation:
- Managing ISO Documentation: A Plain English Guide https://advisera.com/books/managing-iso-documentation-plain-english-guide/
Comment as guest or Sign in
Jun 03, 2020