Expert Advice Community

List of evidence required against each mandatory clauses

  Quote
Created:   Jul 25, 2020 Last commented:   Jul 25, 2020

List of evidence required against each mandatory clauses

Hi Dejan, how are you doing? I am implementing ISO 27001 in my organization and hoping if you could help me a guidance Can you please share/suggest a list of evidence required against each mandatory clauses (4-10) of ISO 27001? Exactly what kind of evidence will suffice the requirement Each mandatory clause
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 25, 2020

In ISO world, mandatory requirements/documents are related to the words “must” or “shall”, while nonmandatory requirements/documents are related to the words “may” or “should”. Documents and records mandatory to fulfill clauses from the main sections of the standard (sections 4 to 10) are:
- Scope of the ISMS (clause 4.3)
- Information security policy and objectives (clauses 5.2 and 6.2)
- Risk assessment and risk treatment methodology (clause 6.1.2)
- Statement of Applicability (clause 6.1.3 d)
- Risk treatment plan (clauses 6.1.3 e and 6.2)
- Risk assessment report (clause 8.2)
- Records of training, skills, experience and qualifications (clause 7.2)
- Monitoring and measurement results (clause 9.1)
- Internal audit program (clause 9.2)
- Results of internal audits (clause 9.2)
- Results of the management review (clause 9.3)
- Results of corrective actions (clause 10.1)

Another situation is that some documents are required to fulfill controls that are mandatory if at least one of these situations happen:
- There are unacceptable risks that justify the application of the control
- There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with that demands the application of the control
- There is a top management decision to implement the control, by considering it as good practice.

If none of the above conditions happen, there is no need to implement a document related to that control.

Besides the documents to fulfill clauses from the main sections, without a detailed evaluation of an organization, it is not possible to define how many documents an organization would have, and which ones would be an overkill.

These articles will provide you a further explanation about ISO 27001 documents and selection of controls:
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
- Infographic: The brain of an ISO auditor – What to expect at a certification audit https://advisera.com/articles/infographic-the-brain-of-an-iso-auditor-what-to-expect-at-a-certification-audit/
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 25, 2020

Jul 25, 2020